Docstoc

Client Survey Templates - PowerPoint

Document Sample
Client Survey Templates - PowerPoint Powered By Docstoc
					Implementing Client
Security on Windows 2000
and Windows XP
Session Prerequisites

   Hands-on experience with Windows 2000
    or Windows XP management tools
   Knowledge of Active Directory and Group
    Policy




Level 200
Agenda
   Introduction
   Core Client Security
   Securing Clients with Active Directory
   Using Group Policy to Secure Clients
   Securing Applications
   Local Group Policy Settings for
    Standalone Clients
   Software Restriction Policy
   Antivirus Software
   Client Firewalls
The Importance of Security

   Protect information
   Protect communication channels
   Reduce downtime
   Protect revenues
   Protect worker processes

      2003 CSI/FBI Computer
     Crime and Security Survey
Defense in Depth
   Using a layered approach:
       Increases an attacker’s risk of detection
       Reduces an attacker’s chance of success


                  Data                   ACL, encryption

               Application               Application hardening, antivirus
                                         OS hardening, update management,
                  Host
                                         authentication, HIDS
             Internal Network            Network segments, IPSec, NIDS

                Perimeter                Firewalls, VPN quarantine

            Physical Security            Guards, locks, tracking devices
         Policies, Procedures, &
                Awareness                User education
Agenda

   Introduction
   Core Client Security
   Securing Clients with Active Directory
   Using Group Policy to Secure Clients
   Securing Applications
   Local Group Policy Settings for
    Standalone Clients
   Software Restriction Policy
   Antivirus Software
   Client Firewalls
Components of Client Computer
Security
              Client Security Defense In Depth
 Software Updates       Apply software updates to keep systems
                        current
 Password Best          Use strong passwords across systems to
 Practices              restrict access
 Data Protection        Back up, encrypt, and restrict access to
                        data
 Application Security   Deploy, configure, and restrict application
                        software installation
 Client Management      Use Active Directory, templates, and
                        policies to enforce security
 Mobile Computing       Implement policies and technologies to
                        secure remote and wireless access
 Antivirus              Install and maintain antivirus software to
                        help protect against malicious code
 Firewalls              Configure hardware devices and/or
                        software to help protect perimeter
Managing Software Updates
   Implement an update management solution
    to protect against vulnerabilities
     Customer                                                                                    Customer
                                                    Scenario
       Type                                                                                      Chooses
                                                                                                 Windows
      Consumer                                     All scenarios
                                                                                                  Update
                                                                                                 Windows
                                           No servers running Windows
    Small business                                                                                Update
                        Have one to three servers running Windows and one IT administrator         SUS
                      Want update management solution with basic level of control that updates
                                                                                                   SUS
    Medium or large               Windows 2000 and later versions of Windows
      enterprise       Want single flexible update management solution with extended level of
                                                                                                   SMS
                                     control to update (and distribute) all software


   Attend Patch Management training session or
    review prescriptive guidance at:
    http://www.microsoft.com/technet/security
Password Best Practices

    Educate users about good password practices


    Use pass phrases with spaces, numbers, and
    special characters instead of passwords

    Use different passwords for different resources,
    and protect password list

    Configure screen savers to use password
    protection, and lock workstations when away

    Use multifactor authentication for extra levels of
    security
Data Protection

   Use EFS to restrict access to data
   Sign e-mail and software to ensure
    authenticity
   Use Information Rights Management to
    protect digital information
    from unauthorized use
Mobile Computing

   The use of mobile computing devices
    introduces further security considerations
   Mobile devices extend the perimeter when
    connected to corporate assets
   Additional layers of defense
    are required:
       BIOS passwords
       Network Access Quarantine Control
       Wireless authentication protocols
       Data protection
Agenda

   Introduction
   Core Client Security
   Securing Clients with Active Directory
   Using Group Policy to Secure Clients
   Securing Applications
   Local Group Policy Settings for
    Standalone Clients
   Software Restriction Policy
   Antivirus Software
   Client Firewalls
Active Directory Components

   Forest
       A security boundary in Active
        Directory
   Domain
       A collection of computer, user,
        and group objects defined by the
        administrator
   Organizational Unit
       An Active Directory container
        object used within domains
   Group Policy
       The infrastructure that enables
        the implementation and
        management of network security
Establishing an OU Hierarchy
   Group Policy simplifies
                                          Root Domain
    the application of client
    security settings
                                                         Domain
   Split hierarchy model                Department
                                         OU
                                                         Controller
                                                         OU
       Windows XP
        Security Guide
                                 Secured XP
                                                  Windows XP OU
       Separates user and       Users OU
        computer OUs
                                                        Desktop OU
       Applies appropriate
        policy settings to each OU
                                                        Laptop OU
     Demonstration 1
Modifying Active Directory for
       Client Security
  Viewing Default Domain Policy
    Creating an OU Hierarchy
      Creating an OU Policy
        Moving the Client
How to Create an OU Hierarchy

1.   Create OUs for each department
2.   Create OUs in each department for users
     and for various operating system
     versions
3.   Create OUs under each operating system
     OU for each computer type (for example,
     laptops)
4.   Move each client computer object into the
     appropriate OU
Best Practices for Using Active
Directory to Implement Security

     Create OU structure for client security


     Create OU hierarchy to separate user and
     computer objects based on role

     Apply Group Policy with appropriate security
     settings for each computer role
Agenda

   Introduction
   Core Client Security
   Securing Clients with Active Directory
   Using Group Policy to Secure Clients
   Securing Applications
   Local Group Policy Settings for
    Standalone Clients
   Software Restriction Policy
   Antivirus Software
   Client Firewalls
Using Security Templates
   Security templates are preconfigured sets of
    security settings
   Windows XP Security Guide templates
    include:
       Two domain templates that contain settings for all
        computers in the domain
       Two templates that contain settings for desktop
        computers
       Two templates that contain settings for laptop
        computers
   Each templates has an enterprise and high-
    security version
   The settings in a security template can be
    edited, saved, and imported into a GPO
Using Administrative Templates

   Administrative templates contain registry
    settings that can be applied to users and
    computers
       Windows XP SP1 administrative templates
        have over 850 settings
       The Windows XP Security Guide includes ten
        additional administrative templates
       Third-party software companies might supply
        additional templates
   You can import additional
    templates when editing
    a GPO
What Are Security Settings?
Security Settings                                           Explanation
Account Policy           Sets password and account lockout policy for domain

Account Lockout Policy   Prevents access after a number of failed logon attempts

Audit Policy             Specifies which security events will be recorded

Event Log                Specifies settings for log retention and maximum log size

File System              Specifies permissions and audit settings for file system objects

IPSec Policies           Filter traffic to and from server to block unwanted traffic

Registry Settings        Specify access permissions and audit settings for registry keys

                         Specifies which accounts are members of the group, and which groups the
Restricted Groups
                         group is a member of

Security Options         Specify a wide variety of security settings for users and computers


Software Restrictions    Prevent malicious software from running on client computers

System Services          Specifies the startup mode and access permissions for services

                         Specifies which users and groups are able to perform specific actions on
User Rights Assignment
                         computers
Top Eight Client Security
Settings
   The most commonly modified client
    computer security settings include:
       Allowed to Format and eject removable media
       Anonymous enumeration of SAM accounts
       Enable auditing
       Everyone includes anonymous
       LAN Manager authentication Level
       Password Policy
       Remove LM hashes
       SMB signing
        Demonstration 2
       Using Group Policy
 Viewing Windows XP Security Settings
    Viewing Administrative Templates
Viewing the Available Security Templates
       Applying Security Templates
  Implementing the Security Templates
How to Apply Security Templates
and Administrative Templates
                                       Root Domain

               Domain Policy

                                       Department         Domain
Enterprise Client                                         Controller OU
                                       OU
  Domain.inf


                                                                 Desktop   Enterprise Client
                               Secured XP       Windows           Policy     Desktop.inf
                               Users OU         XP OU



                                                    Desktop OU
      Secured XP
      Users Policy


                                                    Laptop OU     Laptop   Enterprise Client
                                                                  Policy      Laptop.inf
Best Practices for Using Group
Policy to Secure Clients
     Use enterprise client templates as a baseline and
     modify them to suit your needs


     Implement strict account and audit policies


     Test templates thoroughly before deployment


     Use additional administrative templates
Agenda

   Introduction
   Core Client Security
   Securing Clients with Active Directory
   Using Group Policy to Secure Clients
   Securing Applications
   Local Group Policy Settings for
    Standalone Clients
   Software Restriction Policy
   Antivirus Software
   Client Firewalls
Internet Explorer Administrative
Templates
   Enforces security requirements for
    Windows XP workstations
   Prevents the exchange of unwanted
    content
       Use settings included in the
        enterprise client templates
       Use Internet Explorer
        Maintenance (IEM) in
        Group Policy to configure
        security zones for trusted sites
Internet Explorer Zones

Security Zone                                            Description
                    Hidden from Internet Explorer interface
My Computer
                    Intended for content that is found on the local computer

                   Internal sites. Includes UNC paths, sites that bypass the proxy, and all internal sites
                   not listed in another zone, except:
Intranet            Windows Server 2003 with Enhanced Security Configuration
                    Does not automatically cover internal sites
                    Explicitly lists http(s)://localhost and hcp://system

                   Empty by default except on WS03
Trusted Sites       WS03 with ESC includes Online Crash Analysis & Windows Update
                    Configurable by local interface or by policy

                    Everything not covered in another zone
Internet
                    Windows Server 2003 includes all intranet sites by default

                    Empty by default
Restricted Sites
                    Specifies permissions and audit settings for file system objects


User Rights         Prevents ActiveX, scripting, and downloads
Assignment          Configurable by local interface or by policy
Microsoft Outlook

   Use the Outlook Administrator Pack to
    customize Outlook security
   Use the Outlook Administrative Template
    to configure Outlook security
   Outlook 2003 security enhancements
       Warns user before opening potentially
        dangerous file types
       Runs executable content in the Restricted
        Sites zone
       Does not automatically load HTML content
Microsoft Office Administrative
Templates
   Templates for Office XP ship with the
    Windows XP Security Guide
   Templates for Office 97 and later are
    available when you download the
    applicable version of the Office Resource
    kit
Best Practices for Securing
Applications
     Educate users about how to safely download files
     from the Internet and how to safely open e-mail
     attachments


     Only install applications that are required for users
     to do their jobs


     Implement a policy for updating applications
Agenda

   Introduction
   Core Client Security
   Securing Clients with Active Directory
   Using Group Policy to Secure Clients
   Securing Applications
   Local Group Policy Settings for
    Standalone Clients
   Software Restriction Policy
   Antivirus Software
   Client Firewalls
Local Group Policy Settings

   When clients are not members of an
    Active Directory domain, use local Group
    Policy to configure standalone client
    computers
       Standalone Windows XP clients
        use a modified version of the
        security templates
       Each Windows XP Professional
        client uses a local GPO and the
        Group Policy Object Editor or
        scripts to apply settings
Predefined Security Templates

   If clients connect to a Windows NT 4.0
    domain, use:
                                                     Legacy High Security
                        Legacy Enterprise Client
                                                            Client

    Baseline security   Legacy Enterprise Client -   Legacy High Security -
    for desktops        desktop.inf                  desktop.inf

    Baseline security   Legacy Enterprise Client -   Legacy High Security -
    for laptops         laptop.inf                   laptop.inf



   If clients do not connect to a Windows
    NT 4.0 domain, use standalone security
    templates
     Demonstration 3
Securing Standalone Clients

  Modifying a Security Template
  Deploying a Security Template
    Viewing Example Scripts
    Viewing Security Settings
How To Use Local Security Policy
to Secure Standalone Clients
1.   Load the Local Group Policy MMC (Gpedit.msc)
2.   Navigate to Computer Settings/Windows
     Settings and then right-click the Security
     Settings node and select Import Policy
3.   Browse to the location that contains the
     appropriate security template (for example,
     Legacy High Security – Desktop)
4.   Configure additional security settings as per
     prescriptive guidance
Best Practices for Applying Local
Group Policy Settings

     Use the standalone template from the Windows XP
     Security Guide as a baseline

     Use the secedit tool to automate standalone
     template distribution


     Develop procedures to deploy policies


     Implement mechanisms to update clients
Agenda

   Introduction
   Core Client Security
   Securing Clients with Active Directory
   Using Group Policy to Secure Clients
   Securing Applications
   Local Group Policy Settings for
    Standalone Clients
   Software Restriction Policy
   Antivirus Software
   Client Firewalls
What Is Software Restriction
Policy?

   Policy-driven mechanism that identifies
    and controls software on a client
    computer
   Default security level has two options:
       Unrestricted – all software except specifically
        denied software can be run
       Disallowed – only specifically allowed
        software can be run
How Software Restriction Works



    Define policy for the
1   domain using Group
    Policy Editor


                            Download policy by Group
                      2     Policy to the computer


                                              Enforced by operating system
                                          3   when software is run
Four Rules for Identifying Software
Hash Rule                              Certificate Rule
    Compares the MD5 or SHA1
     hash of a file to the one            Checks for digital signature on
     attempting to run                     application (for example,
    Use when you want to allow or         Authenticode)
     prohibit a certain version of a      Use when you want to restrict
     file from being run                   both win32 applications and
                                           ActiveX content


Path Rule                              Internet Zone Rule
    Compares path of file being          Controls how Internet Zones
     run to an allowed path list           can be accessed
    Use when you have a folder           Use when in high security
     with many files for the same          environments to control
     application                           access to Web applications
    Essential when SRPs are strict
       Demonstration 4
Applying a Software Restriction
            Policy
 Creating a Software Restriction Policy
     Restarting the Virtual Machine
     Setting Administrator Override
 Testing the Software Restriction Policy
How to Apply Software
Restrictions
1.   Open the Group Policy object for the OU in
     which you want to apply the software
     restriction policy
2.   Navigate to the Computer Settings/Windows
     Settings/Security Settings node
3.   Right-click Software Restriction Policies and
     then click Create New Policies
4.   Configure Hash, Certificate, Path, and Internet
     Zone rules to accommodate your organization’s
     needs
Best Practices for Applying
Software Restriction Policies
     Create a rollback plan


     Use a separate Group Policy object to implement
     software restrictions


     Use in conjunction with NTFS for defense in depth


     Never link to another domain


     Thoroughly test new policy settings
Agenda

   Introduction
   Core Client Security
   Securing Clients with Active Directory
   Using Group Policy to Secure Clients
   Securing Applications
   Local Group Policy Settings for
    Standalone Clients
   Software Restriction Policy
   Antivirus Software
   Client Firewalls
The Virus Problem

   Virus costs now exceed
    $10 billion dollars
       Direct cost
           IT staff or consultants
       Indirect IT costs
           Loss of productivity,
            data, or goodwill
Antivirus Deployment



 Organization size                      Antivirus deployment solution

 Individuals and
 very small          Install standalone antivirus products on individual Windows XP clients.
 organizations
 Small and midsize   Centralized deployment.
 organizations       Use Group Policy to deploy antivirus software.
                     Centralized deployment.
 Enterprise-level    Install using Active Directory and Group Policy.
 organizations       Install and manage using vendor administration console.
Antivirus Updates
   Desktop computers
       Local servers store virus updates for
        distribution
       The best solution is a push model,
        in which the definitions are immediately
        copied to the clients
       Do not rely on users to
        download updates
   Laptop computers
       Use Internet updates
        when away from office
Best Practices for Virus Protection


     Apply vendor updates regularly


     Use a central deployment strategy


     Use client-specific software on clients
Agenda

   Introduction
   Core Client Security
   Securing Clients with Active Directory
   Using Group Policy to Secure Clients
   Securing Applications
   Local Group Policy Settings for
    Standalone Clients
   Software Restriction Policy
   Antivirus Software
   Client Firewalls
The Need for Client Firewalls

   For clients on the LAN, a firewall protects
    network computers from automated
    attacks
   Desktops with modem connections
    to the Internet need ICF or a third-party
    firewall
   Laptops with Internet connection
    at home, hotel, or WiFi
    hotspot need a personal
    or individual firewall
Internet Connection Firewall

   Basic protection from Internet threats
       Disallows incoming
        traffic
   Limitations
       No outbound filtering
       Support and software
        issues
       Limited configuration
        options
             ICF is Improved in Windows XP SP2
Third-Party Firewall Software

   Reasons to use third-
    party firewalls:
       Increased ability to control
        inbound and outbound
        traffic
       Additional features, such
        as intrusion detection
   Issues with third-party
    firewalls:
       Scalability
       Complexity
    Demonstration 5
Enabling the Client Firewall
Enabling Internet Connection Firewall
     Testing Outbound Access
      Testing Inbound Access
How to Enable Internet
Connection Firewall
1.   Open Control Panel and select Network
     Connections
2.   Right-click the connection to secure, and then
     click Properties
3.   Click the Advanced tab and then select the
     Protect My Computer Network By Limiting Or
     Preventing Access To This Computer From The
     Internet check box.
4.   Configure the Settings tab to open ports for
     services running on the computer (for example,
     Remote Desktop)
Best Practices for Firewalls

     Require users to enable Internet Connection
     Firewall on all connections when not using the
     organization’s LAN

     Use scripting to force remote clients to use
     Internet Connection Firewall for VPN connections

     Do not implement Internet Connection Firewall on
     client computers that are physically connected to
     your corporate network
Session Summary

   Introduction
   Core Client Security
   Securing Clients with Active Directory
   Using Group Policy to Secure Clients
   Securing Applications
   Local Group Policy Settings for
    Standalone Clients
   Software Restriction Policy
   Antivirus Software
   Client Firewalls
Next Steps
1.   Stay informed about security
        Sign up for security bulletins:
         http://www.microsoft.com/security/security_bulletins/alerts2.asp
        Get the latest Microsoft security guidance:
         http://www.microsoft.com/security/guidance/
2.   Get additional security training
        Find online and in-person training seminars:
         http://www.microsoft.com/seminar/events/security.mspx
        Find a local CTEC for hands-on training:
         http://www.microsoft.com/learning/
For More Information

   Microsoft Security Site (all audiences)
       http://www.microsoft.com/security
   TechNet Security Site (IT professionals)
       http://www.microsoft.com/technet/security
   MSDN Security Site (developers)
       http://msdn.microsoft.com/security
Questions and Answers

				
DOCUMENT INFO
Description: Client Survey Templates document sample