Security Features in Microsoft® Windows® XP James Noyce, Senior Consultant Security Solutions...
-
Upload
marissa-mahoney -
Category
Documents
-
view
227 -
download
0
Transcript of Security Features in Microsoft® Windows® XP James Noyce, Senior Consultant Security Solutions...
Security Features in Security Features in Microsoft® Windows® XPMicrosoft® Windows® XP
James Noyce, Senior ConsultantJames Noyce, Senior ConsultantSecurity Solutions Team, Business Critical ServicesSecurity Solutions Team, Business Critical Services
Microsoft Security Solutions, Feb 4, 2003Microsoft Security Solutions, Feb 4, 2003
AgendaAgenda
Windows XP Security FeaturesWindows XP Security Features What’s New Since Windows What’s New Since Windows
20002000 Drill down intoDrill down into
Secure Wireless NetworkingSecure Wireless Networking Group PolicyGroup Policy Software Restriction PoliciesSoftware Restriction Policies Internet Connection FirewallInternet Connection Firewall
Security Is Only As Strong Security Is Only As Strong As The Weakest LinkAs The Weakest Link Technology is neither the whole Technology is neither the whole
problem nor the whole solutionproblem nor the whole solution Secure systems depend upon Secure systems depend upon
Technology, Processes and PeopleTechnology, Processes and People
Baseline technologyBaseline technologyStandards, Encryption, ProtectionStandards, Encryption, ProtectionProduct security featuresProduct security featuresSecurity tools and productsSecurity tools and products
Planning for securityPlanning for securityPreventionPreventionDetection Detection ReactionReaction
Technology, Process, PeopleTechnology, Process, People
Dedicated staffDedicated staffTrainingTrainingSecurity - a mindset and a prioritySecurity - a mindset and a priority
Microsoft Windows Security EnhancementsMicrosoft Windows Security EnhancementsSecurity FeatureSecurity Feature Windows 98Windows 98 Windows 2000Windows 2000 Windows XPWindows XPIntegrated Wireless Integrated Wireless NetworkingNetworking
Add-onAdd-on New with Windows XPNew with Windows XP
Internet Connection FirewallInternet Connection Firewall Available Third PartyAvailable Third Party New with Windows XPNew with Windows XP
Secure Networking (IPSec)Secure Networking (IPSec) StandardStandard StandardStandard
User-Level Security for User-Level Security for shared files, foldersshared files, folders
StandardStandard StandardStandard
Encrypting File SystemEncrypting File System StandardStandard StandardStandard
Public Key InfrastructurePublic Key Infrastructure StandardStandard StandardStandard
Group Policy ObjectsGroup Policy Objects StandardStandard StandardStandard
AuditingAuditing StandardStandard StandardStandard
Smart Card SupportSmart Card Support Available Third PartyAvailable Third Party StandardStandard StandardStandard
Multi-User SupportMulti-User Support Limited SupportLimited Support StandardStandard StandardStandard
Screen Saver Password Screen Saver Password ProtectionProtection
StandardStandard StandardStandard StandardStandard
Strong AuthenticationStrong Authentication Limited SupportLimited Support StandardStandard StandardStandard
Evolution of Windows Desktop SecurityEvolution of Windows Desktop Security
Windows XP Security FeaturesWindows XP Security Features
Users and GroupsUsers and Groups Rights and Rights and
PermissionsPermissions KerberosKerberos Crypto APICrypto API Data Protection Data Protection
APIAPI Screen Saver Screen Saver
PasswordPassword Digital CertificatesDigital Certificates Smart Card LogonSmart Card Logon Remote AccessRemote Access
AuditingAuditing IP SecurityIP Security Encrypting File SystemEncrypting File System Group PolicyGroup Policy 802.1x Network 802.1x Network
AuthenticationAuthentication Credentials ManagerCredentials Manager Software Restriction Software Restriction
PoliciesPolicies Internet Connection Internet Connection
FirewallFirewall
Builds on Windows 2000 Professional Security Features
Existing Security FeaturesExisting Security Features
Users and GroupsUsers and Groups Rights and PermissionsRights and Permissions KerberosKerberos Crypto APICrypto API Data Protection APIData Protection API Screen Saver PasswordScreen Saver Password
Enhanced Security FeaturesEnhanced Security Features
Digital CertificatesDigital Certificates *Auto enrolment and renewal for *Auto enrolment and renewal for
usersusers Smart Card LogonSmart Card Logon
Supports Remote DesktopSupports Remote Desktop IP Security (IPSec)IP Security (IPSec)
Stronger D/H key exchangeStronger D/H key exchange NAT traversalNAT traversal
Enhanced Security FeaturesEnhanced Security Features
AuditingAuditing *More granular operation based auditing*More granular operation based auditing
Remote Access (VPN, DUN and PPoE)Remote Access (VPN, DUN and PPoE) Leverages Internet Connection FirewallLeverages Internet Connection Firewall L2TP/IPSec over NATL2TP/IPSec over NAT
Group PolicyGroup Policy Increased number of policy settingsIncreased number of policy settings Resultant Set of Policy (RSoP)Resultant Set of Policy (RSoP)
Active Directory Group Active Directory Group PolicyPolicy
Group PolicyGroup Policy
Password Password PolicyPolicy
Lockout PolicyLockout Policy Kerberos PolicyKerberos Policy Audit PolicyAudit Policy User RightsUser Rights Security Security
Options Options (Registry (Registry Values)Values)
Event Log Event Log SettingsSettings
Restricted Restricted GroupsGroups
System Services System Services (start-up mode (start-up mode and ACLs)and ACLs)
Registry ACLsRegistry ACLs File System File System
ACLsACLs
Security Configuration Security Configuration ToolsetToolset
Use GPEDIT.MSC to edit Local Group Use GPEDIT.MSC to edit Local Group PolicyPolicy
Use SECPOL.MSC to edit Local Use SECPOL.MSC to edit Local Security PolicySecurity Policy
Security Configuration and Analysis Security Configuration and Analysis (SCA) to perform auditing and handle (SCA) to perform auditing and handle templatestemplates Use SCA to import/export security Use SCA to import/export security
templates (.INF files) for distribution via templates (.INF files) for distribution via Group PolicyGroup Policy
Enhanced Security FeaturesEnhanced Security Features
Encrypting File SystemEncrypting File System Support for AESSupport for AES EFS over WebDAVEFS over WebDAV Shared EFSShared EFS
Misc…Misc… Controlled network accessControlled network access Offline file synchronisationOffline file synchronisation
New Security FeaturesNew Security Features
802.1x Network Authentication802.1x Network Authentication Credentials ManagerCredentials Manager Software Restriction PoliciesSoftware Restriction Policies Internet Connection FirewallInternet Connection Firewall
802.1x Network Authentication802.1x Network Authentication
Secure wired and wireless Secure wired and wireless networks from unauthorised networks from unauthorised accessaccess
Do not confuse with Do not confuse with 802.11b/802.11x/etc…802.11b/802.11x/etc…
Imagine authenticating computer / Imagine authenticating computer / user to the network port on the user to the network port on the wallwall
Then picture the accessing the Then picture the accessing the network port via wireless…network port via wireless…
802.1x Network Authentication802.1x Network Authentication
Supports password based (PEAP) Supports password based (PEAP) and certificate based (EAP-TLS) and certificate based (EAP-TLS) credentialscredentials
Dynamic, rotating WEP keysDynamic, rotating WEP keys Requires backend infrastructureRequires backend infrastructure
Internet Authentication Service (IAS)Internet Authentication Service (IAS) Domain ControllerDomain Controller Certificate AuthorityCertificate Authority
802.1x Network Authentication802.1x Network Authentication
Ethernet SwitchEthernet Switch
LAN AccessLAN Access
IAS/RADIUS ServerIAS/RADIUS ServerPKI ServerPKI Server
Wireless Access PointWireless Access Point
WLAN AccessWLAN Access
Active DirectoryActive Directory
Authentication Authentication And PolicyAnd Policy
AuditingAuditing
Credentials ManagerCredentials Manager
Users receive seamless Users receive seamless access resources for which access resources for which they have valid credentialsthey have valid credentials Provide a common UI for Provide a common UI for
gathering credentialsgathering credentials Provide per user safe Provide per user safe
storage of related storage of related credentialscredentials
Unlock those credentials Unlock those credentials using your user logon using your user logon
Credentials ManagerCredentials Manager
Secure roaming storage for user Secure roaming storage for user credentialscredentials Username, passwordUsername, password X.509 certificates (smart cards)X.509 certificates (smart cards) PassportPassport
Software Restriction PoliciesSoftware Restriction Policies
Restricts execution of unmanaged codeRestricts execution of unmanaged code WIN32, scripts, etc…WIN32, scripts, etc…
Not to be confused with managed code restrictions Not to be confused with managed code restrictions in the .NET Frameworkin the .NET Framework
Internet Connection FirewallInternet Connection Firewall
Provides Provides baseline intrusion preventionbaseline intrusion prevention Protects against scans for informationProtects against scans for information Denies all unsolicited inbound trafficDenies all unsolicited inbound traffic
Stateful inspection of trafficStateful inspection of traffic Configurable filtering and loggingConfigurable filtering and logging Enabled or disabled via location aware Enabled or disabled via location aware
Active Directory group policyActive Directory group policy
SummarySummary
Most security features build Most security features build upon what was present in upon what was present in Windows 2000 ProfessionalWindows 2000 Professional
New security features simplify New security features simplify security management and security management and reduce riskreduce risk
Next StepsNext Steps
Top 5 Web ResourcesTop 5 Web Resources
http://www.microsoft.com/windowsxp/pro/techinfo/http://www.microsoft.com/windowsxp/pro/techinfo/
http://www.microsoft.com/technet/prodtechnol/winxppro/default.asphttp://www.microsoft.com/technet/prodtechnol/winxppro/default.asp
http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/prork_overview.aspprork_overview.asp
http://www.nsa.gov/snac/winxp/download.htmhttp://www.nsa.gov/snac/winxp/download.htm
http://www.microsoft.com/security http://www.microsoft.com/security
http://www.microsoft.com/uk/security http://www.microsoft.com/uk/security