ILTA HANDS‐ON Securing Windows 7 8/23/2011 8024575v.1 ILTA HANDS‐ON Table of Contents About this lab ................................................................................................................................................ 3 About the Laboratory Environment .............................................................................................................. 4 Lab 1: Restricting Users ................................................................................................................................. 5 Exercise 1. Verify the default rights of users ........................................................................................... 5 Exercise 2. Adding a user to the local administrators group ................................................................... 6 Exercise 3. Setting up an administrative console ..................................................................................... 6 Lab 2: User Account Control ......................................................................................................................... 8 Exercise 1. Standard User Account Control ............................................................................................. 8 Exercise 2. User Account Control Policy Settings ..................................................................................... 9 Exercise 3. Administrator Access – Protected Desktop ......................................................................... 10 Lab 3: File and Registry Virtualization ......................................................................................................... 11 Exercise 1. Demonstrate how file virtualization works .......................................................................... 11 Lab 4: Windows Firewall ............................................................................................................................. 13 Exercise 1. Permitting applications through the firewall ....................................................................... 13 Exercise 2. Creating a new inbound firewall rule ................................................................................... 14 Lab 5: Creating Security Policies ................................................................................................................. 15 Exercise 1. Create a Group Policy Object to manage Security ............................................................... 15 Exercise 2. Configure Default Firewall Policies ...................................................................................... 15 Exercise 3. Configure Inbound Firewall Rules ........................................................................................ 17 Exercise 4. Control Local User Accounts via Group Policy Preferences ................................................. 19 Exercise 5. Change the local administrator account password via Group Policy Preferences .............. 20 Exercise 6. Add a local administrator account for laptops only ............................................................. 21 Lab 6: Configuring AppLocker ..................................................................................................................... 22 Exercise 1. Configure AppLocker Rules ................................................................................................... 22 Exercise 2. Configure AppLocker to enable auditing .............................................................................. 23 Exercise 3. Configure AppLocker to deny application access ................................................................. 24 ILTA11 Securing Windows 7 Page 2 8024575v.1 ILTA HANDS‐ON About this lab This Laboratory session is designed to familiarize with some of the security features of the Windows 7 operating system. We will take you typical administrative tasks of managing security of Windows 7, such as restricting application access, and managing local security groups. The first part of the lab will focus on understanding and configuring local security features. The second part will focus on deploying and managing those settings through Group Policy. This laboratory is targeted for the desktop administrator, and assumes that the participant has general experience with Windows 7, Active Directory, and Group Policy technologies. While relevant experience is helpful, it is not required to complete the lab exercises. ILTA11 Securing Windows 7 Page 3 8024575v.1 ILTA HANDS‐ON About the Laboratory Environment You will be working in teams of two, sharing a workstation between members. The workstation has been configured with Windows 2008 R2 Hyper‐V in order to house the virtual computers required for this lab. We have configured two virtual machines as follows: • SECW7‐DC: A Windows 2008R2 Server, with Active Directory, DNS, and DHCP installed. • SECW7‐CLIENT: A Windows 7 SP1 x64 client, joined to our Active Directory domain. Both virtual machines have been setup in a the ILTA11.local domain and exist on the same network. Notes: • You should use the IT.Manage account for the laboratory tasks, except where noted. Its password is Ilta11admin. • The password for administrator is p@ssw0rd. • Two typical users have also been setup: Ken and Sally. Their passwords are Ilta11user • DO NOT USE THE CTRL‐ALT‐DEL KEY SEQUENCE, AS IT WILL DISRUPT YOUR VIRTUAL SERVER SESSION. You should use the RIGHT ALT‐DEL key sequence instead. ILTA11 Securing Windows 7 Page 4 8024575v.1 ILTA HANDS‐ON Lab 1: Restricting Users <One of the key foundations to desktop security is the principle of Least Privilege. In a Least Privilege environment, a user should only have the necessary rights to perform their business needs. All other privileges, such as installing software, making system wide settings, or accessing secure areas should be blocked. During a typical configuration of Windows 7, the default user is setup as a limited user, following the principle of least privilege.> < In this lab, we learn some of the security basics of account management. > Exercise 1. Verify the default rights of users <Like previous versions, Windows 7 relies on the NT File System to provide security at the folder and file level. Knowing basic folder security is crucial to troubleshooting and managing applications in a secure environment.> 1. Switch to the SECW7‐CLIENT virtual machine, and press the CTRL – ALT – DEL button (upper left corner). Login as it.manage. The password is Ilta11admin. 2. Launch Windows Explorer. ( => Type “explorer”) 3. Browse to Computer => C:\Program Files. Right click on the Program Files directory and choose Properties. 4. Select the Security tab. Note the default permissions for the folder. Click Users to see that users only have Read & execute, List folder contents and Read rights. 5. Click Advanced. More granular permissions are presented. Take note of permissions for TrustedInstaller and System by double clicking each name. They have full control, along with Administrators. TIP – Introduced in Vista, the Trusted Installer service account is used by UAC to protect critical operating system files. As it is the owner of those critical files, it keeps applications (or users!) running as system or administrator from modifying operating system files. In some cases, only the Trusted Installer account has full access to files. 6. Select the Effective Permissions tab. Press Select. Type in Ken and choose Check Names. Press ok. Note the default permissions on the folder. Press ok twice. 7. Browse to C:\ProgramData. Right click on the directory. Choose Properties. ILTA11 Securing Windows 7 Page 5 8024575v.1 ILTA HANDS‐ON TIP – If you do not see C:\ProgramData, press the ALT key once while in Windows Explorer. Go to Tools => Folder Options. Select the View tab and make sure “Show hidden files, folders and drives” is selected. 8. Select the Security tab. Note the default permissions for the folder. Click Advanced. 9. Select the Effective Permissions tab. Press Select. Type in Ken and choose Check Names. Press ok. Note the default permissions on the folder. In the ProgramData folder, Ken can write and modify files, but not delete them. Press ok twice. Exercise 2. Adding a user to the local administrators group 1. Logged in as it.manage, go to and type “users” in the search programs and files dialog. Select Edit local users and groups. 2. Click Groups and double click Administrators. Note that the IT Computer Management group is a member. The it.manage user gets local administrative rights via this domain group. TIP – Adding a domain group to the administrators group is a more effective way to manage local administrative permissions, as it is more easy to manage one group rather than many individual user accounts on each machine. 3. IMPORTANT: To demonstrate managing the administrator group via Group Policy preferences in a later exercise, add Sally to the administrators group on the computer. Click Add and type “Sally” in the Check Names dialog. Press Ok twice. Exercise 3. Setting up an administrative console <For administrative tasks, it is helpful to consolidate your management tools into one snap‐in, reducing the number of elevations you need to perform each day. you can then use Right click => Run as Administrator to run the console with the same administrative token> 1. Switch to a standard user. Go to => Shut Down => Switch user. 2. Login as Ken. The password is Ilta11user. 3. Go to => mmc. Select mmc.exe from the search results. 4. Click File => Add/Remove Snap‐in…