1 / 62

Implementing Client Security on Windows 2000 and Windows XP

Implementing Client Security on Windows 2000 and Windows XP. Session Prerequisites. Hands-on experience with Windows 2000 or Windows XP management tools Knowledge of Active Directory and Group Policy. Level 200. Agenda. Introduction Core Client Security

nedaa
Download Presentation

Implementing Client Security on Windows 2000 and Windows XP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Implementing Client Security on Windows 2000 and Windows XP

  2. Session Prerequisites • Hands-on experience with Windows 2000 or Windows XP management tools • Knowledge of Active Directory and Group Policy Level 200

  3. Agenda • Introduction • Core Client Security • Securing Clients with Active Directory • Using Group Policy to Secure Clients • Securing Applications • Local Group Policy Settings for Standalone Clients • Software Restriction Policy • Antivirus Software • Client Firewalls

  4. The Importance of Security • Protect information • Protect communication channels • Reduce downtime • Protect revenues • Protect worker processes 2003 CSI/FBI Computer Crime and Security Survey

  5. Defense in Depth • Using a layered approach: • Increases an attacker’s risk of detection • Reduces an attacker’s chance of success Policies, Procedures, & Awareness Physical Security ACL, encryption Data Application Application hardening, antivirus OS hardening, update management, authentication, HIDS Host Internal Network Network segments, IPSec, NIDS Firewalls, VPN quarantine Perimeter Guards, locks, tracking devices User education

  6. Agenda • Introduction • Core Client Security • Securing Clients with Active Directory • Using Group Policy to Secure Clients • Securing Applications • Local Group Policy Settings for Standalone Clients • Software Restriction Policy • Antivirus Software • Client Firewalls

  7. Components of Client Computer Security

  8. Managing Software Updates • Implement an update management solutionto protect against vulnerabilities • Attend Patch Management training session or review prescriptive guidance at: http://www.microsoft.com/technet/security

  9. Password Best Practices Educate users about good password practices Use pass phrases with spaces, numbers, and special characters instead of passwords Use different passwords for different resources, and protect password list Configure screen savers to use password protection, and lock workstations when away Use multifactor authentication for extra levels of security

  10. Data Protection • Use EFS to restrict access to data • Sign e-mail and software to ensure authenticity • Use Information Rights Management to protect digital information from unauthorized use

  11. Mobile Computing • The use of mobile computing devices introduces further security considerations • Mobile devices extend the perimeter when connected to corporate assets • Additional layers of defenseare required: • BIOS passwords • Network Access Quarantine Control • Wireless authentication protocols • Data protection

  12. Agenda • Introduction • Core Client Security • Securing Clients with Active Directory • Using Group Policy to Secure Clients • Securing Applications • Local Group Policy Settings for Standalone Clients • Software Restriction Policy • Antivirus Software • Client Firewalls

  13. Active Directory Components • Forest • A security boundary in Active Directory • Domain • A collection of computer, user, and group objects defined by the administrator • Organizational Unit • An Active Directory container object used within domains • Group Policy • The infrastructure that enables the implementation and management of network security

  14. Root Domain Domain Controller OU Department OU Secured XP Users OU Windows XP OU Desktop OU Laptop OU Establishing an OU Hierarchy • Group Policy simplifies the application of client security settings • Split hierarchy model • Windows XP Security Guide • Separates user andcomputer OUs • Applies appropriatepolicy settings to each OU

  15. Demonstration 1 ModifyingActive Directory for Client Security Viewing Default Domain PolicyCreating an OU HierarchyCreating an OU PolicyMoving the Client

  16. How to Create an OU Hierarchy • Create OUs for each department • Create OUs in each department for users and for various operating system versions • Create OUs under each operating system OU for each computer type (for example, laptops) • Move each client computer object into the appropriate OU

  17. Create OU structure for client security Create OU hierarchy to separate user and computer objects based on role Apply Group Policy with appropriate security settings for each computer role Best Practices for Using Active Directory to Implement Security

  18. Agenda • Introduction • Core Client Security • Securing Clients with Active Directory • Using Group Policy to Secure Clients • Securing Applications • Local Group Policy Settings for Standalone Clients • Software Restriction Policy • Antivirus Software • Client Firewalls

  19. Using Security Templates • Security templates are preconfigured sets of security settings • Windows XP Security Guide templates include: • Two domain templates that contain settings for all computers in the domain • Two templates that contain settings for desktop computers • Two templates that contain settings for laptop computers • Each templates has an enterprise and high-security version • The settings in a security template can be edited, saved, and imported into a GPO

  20. Using Administrative Templates • Administrative templates contain registry settings that can be applied to users and computers • Windows XP SP1 administrative templates have over 850 settings • The Windows XP Security Guide includes ten additional administrative templates • Third-party software companies might supply additional templates • You can import additional templates when editing a GPO

  21. What Are Security Settings?

  22. Top Eight Client Security Settings • The most commonly modified client computer security settings include: • Allowed to Format and eject removable media • Anonymous enumeration of SAM accounts • Enable auditing • Everyone includes anonymous • LAN Manager authentication Level • Password Policy • Remove LM hashes • SMB signing

  23. Demonstration 2Using Group Policy Viewing Windows XP Security SettingsViewing Administrative TemplatesViewing the Available Security TemplatesApplying Security TemplatesImplementing the Security Templates

  24. Root Domain Domain Policy Domain Controller OU Department OU Enterprise Client Domain.inf Desktop Policy Enterprise Client Desktop.inf Secured XP Users OU Windows XP OU Desktop OU Secured XP Users Policy Enterprise Client Laptop.inf Laptop Policy Laptop OU How to Apply Security Templatesand Administrative Templates

  25. Best Practices for Using Group Policy to Secure Clients Use enterprise client templates as a baseline and modify them to suit your needs Implement strict account and audit policies Test templates thoroughly before deployment Use additional administrative templates

  26. Agenda • Introduction • Core Client Security • Securing Clients with Active Directory • Using Group Policy to Secure Clients • Securing Applications • Local Group Policy Settings for Standalone Clients • Software Restriction Policy • Antivirus Software • Client Firewalls

  27. Internet Explorer Administrative Templates • Enforces security requirements for Windows XP workstations • Prevents the exchange of unwanted content • Use settings included in the enterprise client templates • Use Internet Explorer Maintenance (IEM) in Group Policy to configure security zones for trusted sites

  28. Internet Explorer Zones

  29. Microsoft Outlook • Use the Outlook Administrator Pack to customize Outlook security • Use the Outlook Administrative Template to configure Outlook security • Outlook 2003 security enhancements • Warns user before opening potentially dangerous file types • Runs executable content in the Restricted Sites zone • Does not automatically load HTML content

  30. Microsoft Office Administrative Templates • Templates for Office XP ship with the Windows XP Security Guide • Templates for Office 97 and later are available when you download the applicable version of the Office Resource kit

  31. Best Practices for Securing Applications Educate users about how to safely download files from the Internet and how to safely open e-mail attachments Only install applications that are required for users to do their jobs Implement a policy for updating applications

  32. Agenda • Introduction • Core Client Security • Securing Clients with Active Directory • Using Group Policy to Secure Clients • Securing Applications • Local Group Policy Settings for Standalone Clients • Software Restriction Policy • Antivirus Software • Client Firewalls

  33. Local Group Policy Settings • When clients are not members of an Active Directory domain, use local Group Policy to configure standalone client computers • Standalone Windows XP clients use a modified version of the security templates • Each Windows XP Professional client uses a local GPO and the Group Policy Object Editor orscripts to apply settings

  34. Predefined Security Templates • If clients connect to a Windows NT 4.0 domain, use: • If clients do not connect to a Windows NT 4.0 domain, use standalone security templates

  35. Demonstration 3Securing Standalone ClientsModifying a Security TemplateDeploying a Security TemplateViewing Example ScriptsViewing Security Settings

  36. How To Use Local Security Policy to Secure Standalone Clients • Load the Local Group Policy MMC (Gpedit.msc) • Navigate to Computer Settings/Windows Settings and then right-click the Security Settings node and select Import Policy • Browse to the location that contains the appropriate security template (for example, Legacy High Security – Desktop) • Configure additional security settings as per prescriptive guidance

  37. Best Practices for Applying Local Group Policy Settings Use the standalone template from the Windows XP Security Guide as a baseline Use the secedit tool to automate standalone template distribution Develop procedures to deploy policies Implement mechanisms to update clients

  38. Agenda • Introduction • Core Client Security • Securing Clients with Active Directory • Using Group Policy to Secure Clients • Securing Applications • Local Group Policy Settings for Standalone Clients • Software Restriction Policy • Antivirus Software • Client Firewalls

  39. What Is Software Restriction Policy? • Policy-driven mechanism that identifies and controls software on a client computer • Default security level has two options: • Unrestricted – all software except specifically denied software can be run • Disallowed – only specifically allowed software can be run

  40. How Software Restriction Works Define policy for the domain using Group Policy Editor 1 Download policy by Group Policy to the computer 2 Enforced by operating system when software is run 3

  41. Certificate Rule • Checks for digital signature on application (for example, Authenticode) • Use when you want to restrict both win32 applications and ActiveX content Hash Rule • Compares the MD5 or SHA1 hash of a file to the one attempting to run • Use when you want to allow or prohibit a certain version of a file from being run Path Rule • Compares path of file being run to an allowed path list • Use when you have a folder with many files for the same application • Essential when SRPs are strict Internet Zone Rule • Controls how Internet Zones can be accessed • Use when in high security environments to control access to Web applications Four Rules for Identifying Software

  42. Demonstration 4Applying aSoftware RestrictionPolicyCreating a Software Restriction PolicyRestarting the Virtual MachineSetting Administrator OverrideTesting the Software Restriction Policy

  43. How to Apply Software Restrictions • Open the Group Policy object for the OU in which you want to apply the software restriction policy • Navigate to the Computer Settings/Windows Settings/Security Settings node • Right-click Software Restriction Policies and then click Create New Policies • Configure Hash, Certificate, Path, and Internet Zone rules to accommodate your organization’s needs

  44. Best Practices for Applying Software Restriction Policies Create a rollback plan Use a separate Group Policy object to implement software restrictions Use in conjunction with NTFS for defense in depth Never link to another domain Thoroughly test new policy settings

  45. Agenda • Introduction • Core Client Security • Securing Clients with Active Directory • Using Group Policy to Secure Clients • Securing Applications • Local Group Policy Settings for Standalone Clients • Software Restriction Policy • Antivirus Software • Client Firewalls

  46. The Virus Problem • Virus costs now exceed $10 billion dollars • Direct cost • IT staff or consultants • Indirect IT costs • Loss of productivity, data, or goodwill

  47. Antivirus Deployment

  48. Antivirus Updates • Desktop computers • Local servers store virus updates for distribution • The best solution is a push model, in which the definitions are immediately copied to the clients • Do not rely on users todownload updates • Laptop computers • Use Internet updateswhen away from office

  49. Best Practices for Virus Protection Apply vendor updates regularly Use a central deployment strategy Use client-specific software on clients

More Related