User Account Control UAC is a new feature in Windows Vista that makes it easier for users to run as standard users and perform all their necessary day-to-day tasks.. Standard Users In p
Trang 1• Applying a write-restricted access token to the service process This access token can
be used in cases where the set of objects written to by the service is bounded and can
be configured Write attempts to resources that do not explicitly grant the Service SID access will fail
• Controlling services by using network firewall policies, which prevents network access outside the normal bounds of the service program Service SIDs are linked directly with the firewall policy
Trang 2Demonstration: Viewing Service Configuration
In this demonstration, you will see how you can:
• View the properties of the Dynamic Host Configuration Protocol (DHCP) Client service
• View the properties of the Workstation service
Key Points
• Services in Windows Vista have been hardened to require lower privileges to reduce the risk of a service being compromised
Trang 3What Is User Account Control?
User Account Control (UAC) is a new feature in Windows Vista that makes it easier for users to run as standard users and perform all their necessary day-to-day tasks
Administrative users also benefit from UAC because administrative privileges are
available only after UAC requests permission from the user for that instance
Standard Users
In previous versions of Windows, many users were configured to use administrative privileges rather than standard user permissions This was done because previous
versions of Windows required administrator permissions to perform basic system tasks such as adding a printer, or configuring the time zone In Windows Vista, many of these tasks no longer require administrative privileges
When users have administrative permissions to their computers, they are able to install additional software Despite corporate policies against installing unauthorized software, many users do install unauthorized software, which may make their systems less stable and drive up support costs
When UAC is enabled, and a user needs to perform a task that requires administrative permissions, UAC prompts the user for the credentials of a user with administrative privileges In a corporate environment, the Help desk could give the user temporary credentials that have local administrative privileges to complete the task
Trang 4Administrative Users
UAC allows users with administrative privileges to run as standard users most of the time When users with administrative privileges perform a task that requires administrative privileges, UAC prompts the user for permission to complete the task When the user grants permission, the task in question is performed using full administrative rights, and then the account reverts to a lower level of privilege
Trang 5How UAC Prevents Malware
Malware usually is installed by using the privileges of the user that is logged on at the computer When a user has standard user privileges rather than administrative privileges, malware is less likely to be installed and will cause less damage if it does get installed
Standard Users
If a standard user attempts to install a Trojan that contains malware, the user will not be able to install it because a standard user does not have sufficient privileges to install software Because UAC allows users to perform most necessary tasks without
administrative privileges, users can be configured as standard users and still perform all
of their necessary tasks
If malware is installed on a computer when a user logs on, the ability of the malware to spread itself and access data is limited to the privileges of the user If the user has only standard user privileges, the impact of the malware is reduced when compared to running
as a user with administrative privileges
Administrative Users
Malware can no longer silently install itself when administrative users are logged in The default permission level for administrative users is to run as a standard user An
application can install only when an administrative user grants permission to elevate privileges In addition, any malware attempting to perform tasks requiring administrative user privileges must be explicitly granted permission by the user
Trang 6UAC Administration
UAC can be configured by using the local security policy or Group Policy In most
corporate environments, Group Policy is preferred because it can be centrally managed and controlled
The following options are available to configure UAC in the local security policy or a Group Policy object:
• User Account Control: Admin Approval Mode for the Built-in Administrator Account
This option requires the local Administrator account to approve the elevation of privileges to administrative user The default setting is on
• User Account Control: Behavior of the elevation prompt for administrators in Admin
Approval Mode This option allows you to disable UAC for administrators, prompt
for administrative credentials, or prompt for permission The default configuration prompts for consent when administrative privileges are required
• User Account Control: Behavior of the elevation prompt for standard users This
option allows you to configure the elevation prompt to ask for credentials or disable the elevation prompt If the elevation prompt is disabled, users must use Runas to start the application with administrative privileges The default configuration prompts for credentials
Trang 7• User Account Control: Detect application installations and prompt for elevation
This option is required for the proper installation of most legacy applications When enabled, UAC automatically detects application installations and prompts to elevate privileges The default setting is on
• User Account Control: Only elevate executables that are signed and validated This
option restricts privilege elevation to applications that are digitally signed To allow unsigned legacy applications, this option should be disabled The default
configuration is disabled
• User Account Control: Run all administrators in Admin Approval Mode This option
requires all users with administrative privileges to approve privilege elevation for processes If this option is disabled, UAC is disabled for administrative users and standard users The default configuration is enabled
• User Account Control: Switch to the secure desktop when prompting for elevation
This option limits communication with the elevation prompt to Windows Vista processes to prevent malware from approving elevation The default setting is
enabled
• User Account Control: Virtual file and registry write failures to per-user locations
This option allows legacy applications that are not UAC compliant to run properly by redirecting registry and file writes to the user profile Redirection happens silently and the user is unaware of the redirection The default configuration is enabled
Trang 8Demonstration: Working with User Account Control
In this demonstration, you will see how you can:
• Use UAC as an administrator
• Use UAC as a standard user
• Disable UAC
Key Points
• User Account Control allows users to run as standard users and elevate privileges only when required
Trang 9What Is Windows Defender?
Spyware is software that is installed without your knowledge to monitor what you do with your computer Spyware can cause serious problems For example, it can steal the personal information you enter into Web sites, such as online banking sites Less serious but also troublesome, spyware can present pop-up ads when you visit other Web sites or replace advertisements on legitimate Web sites
Most spyware is not well-written software As a consequence, spyware often causes computers to stop responding or run slowly
Windows Defender
Windows Defender is software that prevents your computer from being infected by spyware and removes spyware that is already installed Previous revisions of Windows Defender were named Windows AntiSpyware
Windows Defender is available for Microsoft Windows® XP and Windows 2000
However, the version of Windows Defender for Windows Vista has the following
features not found in other versions:
• Scan changed files only
• Run under a security-enhanced account
• Scan files when they are run
• Scan files as they are downloaded in Internet Explorer 7
Trang 10Definition Files
Windows Defender uses spyware definition files to identify spyware The definition files contain signatures that uniquely identify files that have been determined to be spyware When the spyware files are identified, they can be removed This process is similar to the way antivirus software works
To help build the spyware definition files, Microsoft has created a voting network to collect information about spyware If you choose to participate in the voting network, information about the programs you have blocked is transmitted to the voting network Microsoft analyzes the blocked programs from users in the voting network and then determines whether a particular program needs to be added to the spyware definition files Like antivirus software, Windows Defender definition files need to be updated regularly
to be useful The definition files are updated daily by default There is not cost for the definition file updates
Trang 11Windows Defender Scanning Modes
The scanning mode you select for Windows Defender determines how your computer is scanned for spyware You can use Real-Time Protection, perform on-demand scans, and schedule scans
Real-Time Protection is the first line of defense in spyware protection When Real-Time Protection is enabled, Windows Defender monitors critical checkpoints in Windows If the Real-Time Protection system detects a change in any checkpoint, you are alerted and given the option to allow or block the change Using Real-Time Protection prevents the installation of spyware
Both on-demand scans and scheduled scans look for spyware that is already installed on your computer They are both useful even when Real-Time Protection is enabled For example, a computer could be infected with unrecognized spyware on Monday Later in the week, the spyware definitions are updated to recognize the spyware, but Real-Time Protection will not find it, because it only monitors changes An on-demand or scheduled scan will find the spyware after it is installed
On-demand scans are used to quickly determine whether a computer has spyware
installed when a problem occurs Scheduled scans are used as part of an overall
monitoring system to catch spyware that is missed by Real-Time Protection
Trang 12Demonstration: Configuring Windows Defender
In this demonstration, you will see how you can:
• Configure a scheduled scan
• Configure Real-Time Protection
• Run a manual scan
Key Points
• Windows Defender removes spyware and prevents spyware installation
Trang 13Network Protection Features in Windows Vista
Introduction
Networks are the source of many security problems, from hackers to viruses It is
impossible to know the nature of every possible network attack, as the types of attacks are evolving all of the time In this section, you will see how Windows Firewall and Network Access Protection help prevent network attacks, even those that are new
Objectives
After completing this section, you will be able to:
• Describe Windows Firewall
• Explain the new features in Windows Firewall
• Describe Network Access Protection
• List and explain the NAP components
• Describe potential NAP implementation scenarios
Trang 14What Is Windows Firewall?
A firewall helps keep your computer more secure by controlling network access to your computer Firewalls allow or deny network packets that try to pass through them This gives you a line of defense against people or programs that try to connect to your
computer without an invitation
Windows Firewall is enabled by default in Windows Vista and monitors incoming
packets To allow network communication for specific applications, such as network games or instant messaging, where communication may be initiated by another computer, you need to create an exception for that application In most cases, Windows Firewall prompts you to allow or deny the exception when you run the program
Windows Firewall can:
• Help block viruses and worms by not allowing access to vulnerable services by default
• Ask your permission to block or unblock connection requests made by software
• Create a security log that allows you to monitor which network packets have been blocked and where they are coming from
Trang 15New Features in Windows Firewall
The firewall in Windows Vista is significantly enhanced over the firewall in
Windows XP Service Pack 2 (SP2) The Windows Firewall enhancements in Windows Vista are:
• Filtering for outbound traffic
• Firewall filtering and Internet Protocol security (IPsec) settings are combined
• Rules (exceptions) can be configured for many new situations
Filtering Support
The firewall in Windows XP SP2 supported only inbound filtering This is the most important type of filtering because it controls external users or software attempting to access the computer
The firewall in Windows Vista supports inbound filtering and outbound filtering This allows network administrators to block packets that originate on a workstation from reaching the network Outbound filtering can be used to block users from accessing external services, such as an external e-mail server Outbound filtering can also be used
to prevent viruses from replicating over the network if they are known to use a specific port
Trang 16Integration with IPsec
IPsec is a set of Internet standards that provide cryptographic protection for IP traffic In Windows Server® 2003 and Windows XP, Windows Firewall and IPsec are configured separately Because both a host-based firewall and IPsec in Windows can block or allow incoming traffic, it is possible to create overlapping or contradictory firewall rules and IPsec rules The new Windows Firewall has combined the configuration of both network services using the same graphical user interface (GUI) and command-line commands Another benefit to the integration of firewall and IPsec settings is that configuration of IPsec settings is simplified
Additional Rule Configuration Options
The firewall in Windows XP is capable of simple exceptions for incoming traffic The firewall in Windows Vista allows you to create flexible rules that can be used in a wide variety of situations
New rule configuration options are:
• For IPsec communication, you can limit initiation to certain Active Directory groups
or users
• Configuration of source and destination IP addresses, as well as predefined addresses for Windows Internet Name Service (WINS) servers, DHCP servers, DNS servers, default gateway, and local subnet
• IP protocol numbers can also be used in rules instead of just TCP or User Datagram Protocol (UDP) ports
• Source and destination TCP and UDP ports can be selected
• All or multiple ports can be selected for a rule
• Rules can be configured for specific interface types such as wireless
• Additional Internet Control Message Protocol (ICMP) packet types can be added to the default configuration
• Rules can be configured for services regardless of the port numbers the service uses