Internet Explorer zones let you configure different security options for categories of Web sites.. Protected Mode is a new feature in Internet Explorer 7 that reduces the impact of vulne
Trang 1What Are the NAP Components?
Network Policy Server (NPS) is the main component in NAP and is a component of Windows Server “Longhorn” NPS serves as a central point where health policies can be checked NPS also coordinates Active Directory queries required for health policy checks Internet Authentication Service (IAS), found in previous versions of Windows Server, has been replaced with NPS
Each type of NAP enforcement requires an enforcement client (EC) on the network node
to negotiate health compliance Each EC is specific to the type of NAP enforcement For example, DHCP enforcement requires a DHCP NAP EC The required ECs are part of Windows Vista and may also be released for Windows XP SP2
IPsec Enforcement
IPsec enforcement limits communication on your network to computers that are
compliant with health policy requirements This is the strongest form of NAP
enforcement
A health certificate server and an IPsec NAP EC are required for IPsec enforcement The health certificate server issues X.509 certificates to clients when they are determined to
be compliant with the health policy requirements These certificates are then used to authenticate NAP clients when they initiate IPsec-secured communications with other NAP clients on the network
Trang 2802.1X Enforcement
802.1X enforcement comprises an NPS server and an EAPHost NAP EC component Using 802.1X enforcement, an NPS server instructs an 802.1X access point (an Ethernet switch or a wireless access point) to place a restricted access profile on the 802.1X client until it performs a set of remediation functions A restricted access profile can consist of a set of IP packet filters or a virtual LAN (VLAN) identifier to confine the traffic of an 802.1X client 802.1X enforcement provides strong limited network access for all
computers accessing the network through an 802.1X connection
VPN Enforcement
Virtual private network (VPN) enforcement comprises a VPN NAP Enforcement Server (ES) component and a VPN NAP EC component Using VPN enforcement, VPN servers can enforce health policy requirements any time a computer attempts to make a VPN connection to the network VPN enforcement provides strongly limited network access for all computers accessing the network through a VPN connection
DHCP Enforcement
DHCP enforcement comprises a DHCP NAP ES component and a DHCP NAP EC component Using DHCP enforcement, DHCP servers can enforce health policy
requirements any time a computer attempts to lease or renew an IP address configuration
on the network DHCP enforcement is the easiest enforcement to deploy because all DHCP client computers must lease IP addresses However DHCP enforcement relies on entries in the IP routing table, so it is the weakest form of limited network access in NAP
Trang 3What Are the NAP Implementation Scenarios?
NAP is a flexible solution for enforcing health requirements on network computers
before allowing access Some of the scenarios where NAP can be used are:
• Monitor the health of roaming portable computers While portable computers are
away from the corporate network, they might not receive the most recent software updates or configuration changes In addition, portable computers may be infected with viruses when they are exposed to unprotected networks such as the Internet You can use NAP to verify portable computer health each time a portable computer connects to the corporate network either remotely through a VPN connection or locally
• Ensure the health of desktop computers Desktop computers that do not have the
most recent updates are at a higher risk of virus infection from Web sites, e-mail, and files in shared folders You can use NAP to verify that desktop computers have the most recent updates before allowing them to connect to the network
• Determine the health of visiting portable computers Organizations frequently need to
allow consultants and guests access to their private networks The portable computers that these visitors bring might not meet network requirements and can present health risks You can use NAP to limit visiting portable computers to a restricted network
Trang 4• Verify the health of unmanaged home computers Unmanaged home computers
provide an additional challenge to network administrators because they do not have physical access to these computers Lack of physical access makes enforcing compliance with network requirements (such as the use of antivirus software) more difficult Verifying the health of these computers is similarly challenging You can use NAP to check for required programs, registry settings, or files before allowing home computers to access the network by using a VPN connection
Trang 5Internet Explorer 7 Security Enhancements
Introduction
Applications that communicate on the Internet are particularly vulnerable to security flaws because they are exposed to a wide variety of data from unprotected networks If any flaw is found in an Internet-facing application, hackers can quickly exploit it Internet Explorer 7 includes many improvements to make Web browsing more secure
Objectives
After completing this section, you will be able to:
• Describe the threats to Internet Explorer
• Understand Internet Explorer Zones
• Describe how Protected Mode reduces security vulnerabilities
• Describe how Internet Explorer 7 blocks pop-up windows
• Understand the Phishing Filter
Trang 6What Are the Threats to Internet Explorer?
Internet Explorer and other Web browsers are exposed to more security threats than most software because they are used to retrieve information directly from the Internet Hackers can create Web sites that exploit known vulnerabilities Just visiting a Web site that takes advantage of a vulnerability can cause malware to be installed or change system settings
In rare cases, there are unknown vulnerabilities that are discovered and used by hackers for a period of time before they become well known
Most Internet Explorer vulnerabilities are a result of scripts being included as part of the Web page Many Web pages include JavaScript or VBScript to create dynamic Web page elements However, if the scripting engine in Internet Explorer does not handle certain coding properly, a hacker may be able to run arbitrary code on the workstation or perform other tasks
Other Internet Explorer vulnerabilities are the result of specially crafted image files or Web page content that confuse the components that are supposed to render them When the image file or Web page content is rendered incorrectly, malware can be installed The best way to reduce Internet Explorer vulnerabilities is by applying updates when they are available Updates are used to eliminate known vulnerabilities
Trang 7What Are Internet Explorer Zones?
Internet Explorer provides a wide variety of security options that you can configure These security options define the rules for how to handle content such as Microsoft
ActiveX® controls or scripting in Web pages
Internet Explorer zones let you configure different security options for categories of Web sites Each zone is a category of Web sites
The Internet Explorer zones are:
• Internet All Web sites not specifically included in another zone are part of the
Internet zone The default security level for this zone is Medium-high, which is suitable for viewing most Web site content
• Local intranet For Windows Vista computers joined to a domain, the Local intranet
zone includes all computers that are part of the domain For Windows Vista
computers that are not joined to a domain, the Local intranet zone is not used The default security level for this zone is Medium-low to allow intranet applications that require advanced scripting options and ActiveX controls to function properly
• Trusted sites You must specifically add sites to the Trusted sites zone No sites are in
the Trusted sites zone by default You can use the Trusted sites zone for partner Web sites that need to run advanced scripting and ActiveX controls to run properly The default security level for this zone is Medium
Trang 8• Restricted sites You must specifically add sites to the Restricted sites zone No sites
are in the Restricted sites zone by default You can use the Restricted sites zone for Web sites that you are concerned might be dangerous, or just to stop scripting on Web pages that you find annoying The security level for this zone is High and cannot be lowered except by using custom settings
Trang 9What Is Protected Mode?
Protected Mode is a new feature in Internet Explorer 7 that reduces the impact of
vulnerabilities that have not been corrected When Protected Mode is in use for an
Internet Explorer zone, Internet Explorer runs as a low integrity process As a low
integrity process, Internet Explorer can only modify low integrity resources, which is a very limited area
Integrity levels are a new feature in Windows Vista that are added to the access control list (ACL) of objects Traditionally, objects such as files and registry keys contained only user and group permissions in the ACL Integrity levels have been added as an additional security mechanism to control which processes are able to access resources
Low Integrity Processes
Low integrity processes can only write to folders, files, and registry keys that have been assigned a low integrity mandatory label As a result, Internet Explorer and extensions run in Protected Mode can only write to low integrity locations, such as the new low integrity temporary Internet files folder, the History folder, the Cookies folder, the
Favorites folder and the Windows temporary file folders Any resources not specifically assigned an integrity level are considered medium integrity level
Furthermore, the Protected Mode process will run with a low desktop integrity level when Windows Vista ships, which will prevent it from sending specific window
messages to higher integrity processes
Trang 10By preventing unauthorized access to sensitive areas of a user's system, Protected Mode limits the amount of damage that can be caused by a compromised Internet Explorer process An attacker cannot, for example, silently install a keystroke logger to the user's Startup folder Likewise, a compromised process cannot manipulate applications on the desktop through window messages
Backward Compatibility
Some Web applications require backward compatibility because they assume that they have greater privileges than a low integrity process To accommodate the need for backward compatibility, Internet Explorer can employ redirection or elevate privileges Redirection takes access attempts such as writing files and registry keys in medium integrity locations and redirects them to low integrity locations Privilege elevation asks for a user’s consent before elevating to access resources outside of the low integrity locations
Trang 11Demonstration: Configuring Protected Mode
In this demonstration, you will see how you can:
• Enable Protected Mode for all zones
• Configure customized security settings
Key Points
• Internet Explorer categorizes Web sites into zones
• Each zone has independent security settings
• Internet Explorer 7 has a new Protected Mode which defaults to run Internet Explorer
as a low privilege process
Trang 12How Internet Explorer 7 Prevents Pop-Up Windows
Internet Explorer 7 includes a Pop-up Blocker to stop most pop-up windows A pop-up window is a small Web browser window that appears on top of the Web site you are viewing Pop-up windows often open as soon as you visit a Web site and are usually used for advertising
When a pop-up window is blocked, the message “Pop-up blocked To see this pop-up or additional options click here” appears in the information bar When you click on the information bar you can allow the pop-up window one time or permanently from that Web site
The default configuration of Pop-up Blocker does not stop pop-up windows that are triggered when you click on a link This allows many online applications to work
properly However, you may be required to add an exception for online applications such
as banking
Trang 13You can configure the filtering level for Pop-up Blocker as:
• High: Block all pop-ups This setting blocks all pop-up windows, including those that
are created by clicking a link
• Medium: Block most automatic pop-ups This setting blocks most pop-up windows,
but allows pop-up windows that are triggered when you click a link
• Low: Allow pop-ups from secure sites This setting automatically allows pop-up
windows for sites accessed with the HTTPS protocol Non-HTTPS sites are treated the same as when the Medium setting is selected
Pop-up windows are not blocked for sites in the Local intranet or Trusted sites
zones
Trang 14Demonstration: Configuring the Pop-up Blocker
In this demonstration, you will see how you can:
• Test Pop-up Blocker default settings
• Configure Pop-up Blocker settings
Key Points
• The Pop-up Blocker prevents most Web page pop-up windows
• You can configure how sensitive the Pop-up Blocker is
Trang 15What Is the Phishing Filter?
The Phishing Filter is a new feature in Internet Explorer 7 that helps detect phishing Web sites A phishing Web site is designed to look like a legitimate Web site that collects personal information or logon information, such as an online banking site However, the phishing site collects information for criminals to steal money or perform identity theft Most phishing attempts start with an e-mail message asking users to click a link and verify their information or log on
Detecting Phishing Sites
The Phishing Filter performs three tasks to detect phishing sites:
• The Web site addresses you visit are compared to a list of known legitimate Web sites to ensure legitimate sites are not blocked
• The Web sites you visit are analyzed to see if they have the characteristics of a
phishing Web site
• The Web site addresses you visit are compared to a list of known phishing Web sites
If the site you are visiting is on the list of reported phishing Web sites, a warning page is displayed From the warning page, you can select to continue to the Web site or close the page If the Web site you are visiting contains characteristics common to a phishing Web site, but is not on the list of known phishing Web sites, a warning is displayed in the information bar
Trang 16Reporting Phishing Sites
Within the Phishing Filter menu, users can report a potential phishing site Microsoft verifies phishing sites before they are added to the list of known phishing sites However,
if your Web site is incorrectly listed as a phishing site, you can also report the incorrect listing to Microsoft for removal
Trang 17Demonstration: Configuring the Phishing Filter
In this demonstration, you will see how you can:
• Configure the Phishing Filter
Key Points
• The Phishing Filter prevents malicious Web sites from impersonating legitimate Web sites and stealing your personal information