Least Privilege Security for Windows 7, Vista and XP

Name: Least Privilege Security for Windows 7, Vista and XP | Secure desktops for regulatory compliance and business agility
Brand: Packt Publishing
Availability: OnlineOnly

Secure desktops for regulatory compliance and business agility

Russell Smith(Autor*in)

Packt Publishing

1. Auflage

Erschienen am 5. Juli 2010

464 Seiten

E-Book

ePUB mit Adobe-DRM

Systemvoraussetzungen

E-Book

PDF mit Adobe-DRM

Systemvoraussetzungen

978-1-84968-005-9 (ISBN)

ab 33,99 €

Als Download verfügbar

Merkliste: siehe Preise

Beschreibung

Alle Preise

Weitere Details

Weitere Ausgaben

Inhalt

Intro
Least Privilege Security for Windows 7, Vista and XP
Table of Contents
Least Privilege Security for Windows 7, Vista and XP
Credits
About the Author
About the Reviewers
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Errata
Piracy
Questions
1. An Overview of Least Privilege Security in Microsoft Windows
What is privilege?
What is Least Privilege Security?
Limiting the damage from accidental errors with Least Privilege Security
Reducing system access to the minimum with Least Privilege Security
Least Privilege Security in Windows
Windows 9.x
Windows NT (New Technology)
Windows 2000
Windows XP
Windows Vista
Windows 7
Advanced Least Privilege Security concepts
Discretionary Access Control
Mandatory Access Control
Mandatory Integrity Control
Role-based Access Control
Least Privilege Security in the real world
Benefits of Least Privilege Security on the desktop
Change and configuration management
Damage limitation
Regulatory compliance
Software licensing
What problems does Least Privilege Security not solve?
Common challenges of Least Privilege Security on the desktop
Application compatibility
System integrity
End user support
Least Privilege and your organization's bottom line
Determining the affect of Least Privilege Security on productivity
Reducing total cost of ownership
Improved security
Summary
2. Political and Cultural Challenges for Least Privilege Security
Company culture
Defining company culture
Culture shock
Culture case studies
Company A
Company B
Getting support from management
Selling Least Privilege Security
Using key performance indicators
Using key risk indicators
Mapping CSFs to KPIs
Security metrics
Threat modeling
Reducing costs
Security adds business value
Setting an example
User acceptance
Least Privilege Security terminology
Justifying the decision to implement Least Privilege Security
Applying Least Privilege Security throughout the enterprise
Deciding whom to exempt from running with a standard user account
What not to do
Managing expectations
Service catalog
Chargebacks
Maintaining flexibility
User education
Summary
3. Solving Least Privilege Problems with the Application Compatibility Toolkit
Quick compatibility fixes using the Program Compatibility Wizard
Applying compatibility modes to legacy applications
Program Compatibility Wizard
Program Compatibility Assistant
Disabling the Program Compatibility Assistant
Excluding executables from the Program Compatibility Assistant
Achieving application compatibility in enterprise environments
Compatibility fixes
Modifying applications using shims
Enhancing security using compatibility shims
Deciding whether to use a shim to solve a compatibility problem
Vendor support
In-house applications
Kernel-mode applications
Creating shims for your legacy applications
Solving compatibility problems with shims
LUA compatibility mode fixes in Windows XP
LUARedirectFS
LUARedirectFS_Cleanup
LUARedirectReg
LUARedirectReg_Cleanup
LUATrackFS
Creating your own custom database
Maxthon on Windows XP
Working with other commonly used compatibility fixes
ForceAdminAccess
CorrectFilePaths
VirtualRegistry
ADDREDIRECT
Working with custom databases
Adding new shims to your custom database (merging custom databases)
Temporarily disabling compatibility fixes
Installing a custom database from Compatibility Administrator
Deploying a database to multiple devices
Finding the GUID of custom database
SDBINST command-line switches
Distributing or updating a custom database using Group Policy
Summary
4. User Account Control
User Account Control components
Elevation prompts
Protected administrator (PA)
Windows Integrity Control and User Interface Privilege Isolation
Application Information Service
Filesystem and registry virtualization
Internet Explorer Protected Mode
The shield icon
User Account Control access token model
Standard user access token
Protected administrator access token
Conveniently elevating to admin privileges
Automatically launching applications with admin privileges
Consent and credential elevation prompts
Consent prompts
Credential prompts
Application-aware elevation prompts
Windows Vista
Publisher verified (signed)
Publisher not verified (unsigned)
Publisher blocked
Administrator accounts
Elevation prompt security
Securing the desktop
Providing extra security with the Secure Attention Sequence (SAS)
Securing elevated applications
Windows Integrity Mechanism
Integrity policies
Assigning integrity levels
User Interface Privilege Isolation
User Interface Privilege Level
UIPI and accessibility
Achieving application compatibility
Application manifest
Power Users
Windows Logo Program
Certification requirements
Filesystem and registry virtualization
Filesystem virtualization
Virtual root directory
Registry virtualization
Virtual root registry
Using Task Manager to determine whether a process is using UAC filesystem and registry virtualization
Windows Installer and User Account Control
Automatically detecting application installers
Controlling User Account Control through Group Policy
Admin Approval Mode for the built-in administrator account
Allowing UIAccess applications to prompt for elevation without using the secure desktop
Behavior of the elevation prompt for administrators in Admin Approval Mode
Behavior of the elevation prompt for standard users
Detect application installations and prompt for elevation
Only elevate executables that are signed and validated
Only elevate UIAccess applications that are installed in secure locations
Run all administrators in Admin Approval Mode
Switch to the secure desktop when prompting for elevation
Virtualize file and registry write failures to per-user locations
What's new in Windows 7 User Account Control
User Account Control slider
Auto-elevation for Windows binaries
Executables
Microsoft Management Console (MMC)
Component Object Model (COM) objects
More settings accessible to standard users
Summary
5. Tools and Techniques for Solving Least Privilege Security Problems
Granting temporary administrative privileges
Granting temporary administrative access using a separate logon (Vista and Windows 7 only)
Creating three support accounts
Creating a policy setting to automatically delete the support account at logoff
Testing the support accounts
Putting into practice
Granting temporary administrative access without a separate logon
Creating a batch file to elevate the privileges of the logged in user
Testing the procedure
Limitations of the procedure
Bypassing user account control for selected operations
Using Task Scheduler to run commands with elevated privileges
Running the Scheduled Task as a standard user
Configuring applications to run with elevated privileges on-the-fly
Solving LUA problems with Avecto Privilege Guard
Defining application groups
Defining access tokens
Configuring messages
Defining policies
Solving LUA problems with Privilege Manager
Defining Privilege Manager rules
Assigning permissions
Adding or removing individual privileges
Specifying integrity levels
Suppressing unwanted User Account Control prompts
Modifying application manifest files
Editing manifests using Resource Tuner
Modifying manifests using the RunAsInvoker shim
Setting permissions on files and registry keys
Identifying problems using Process Monitor
Modifying permissions on registry keys and files with Group Policy
Fixing problems with the HKey Classes Root registry hive
Using Registry Editor to copy keys from HKCR to HKCU
Mapping .ini files to the registry
Using LUA Buglight to identify file and registry access violations
Summary
6. Software Distribution using Group Policy
Installing software using Group Policy
Installing software using Windows Installer
Deploying software using Group Policy
Comparing Group Policy Software Installation with system images for software distribution
Choosing between thin and fat images
Preparing applications for deployment
Extracting .msi files from setup packages
Using WinRAR or 7-Zip to extract .msi files
Using command-line switches for silent installs and customization
Deploying system changes using Group Policy startup scripts
Creating an .msi wrapper
Repackaging an application with a legacy installer
Installing AdminStudio
Configuring AdminStudio's Repackager to run on a remote machine
Installing the remote repackager
Monitoring a legacy installation routine
Customizing an installation package
Customizing Acrobat Reader's MSI installer using Adobe Customization Wizard 9
Using the Distributed File System with GPSI
Creating a DFS namespace
Adding a folder to the namespace
Deploying software using GPSI
Configuring software installation settings
Targeting devices using WMI filters and security groups
Active Directory security groups
Creating a security group to filter a GPO
Windows Management Instrumentation filtering
Upgrading software with GPSI
Uninstalling software with GPSI
Removing software when it falls out of scope of management
Removing .msi packages from Group Policy Objects
Summary
7. Managing Internet Explorer Add-ons
ActiveX controls
Per-user ActiveX controls
Changing the installation scope to per-user
Best practices
Deploying commonly used ActiveX controls
Deploying Adobe Flash and Shockwave Player
Deploying Microsoft Silverlight
ActiveX Installer Service
Enabling the ActiveX Installer Service
Using the GUI to install the ActiveX Installer Service
Using the command line to install the ActiveX Installer Service
Determining the ActiveX control host URL in Windows 7
Determining the ActiveX control host URL in Windows Vista
Configuring the ActiveX Installer Service with Group Policy
Testing the ActiveX Installer Service
Managing add-ons
Administrator approved controls
Determining the Class Identifier CLSID of an installed ActiveX control
Adding ActiveX controls to the Add-on List
Summary
8. Supporting Users Running with Least Privilege
Providing support
Preparing to support least privilege
Troubleshooting using remote access
Troubleshooting for notebook users
The notebook challenge
Having the right tools in place
Notebook users who seldom visit the office
Setting out IT policy
Other functions the help desk might require
The last resort: An administrative backdoor for notebooks
Enabling and using command-line remote access tools
WS-Management
Configuring WS-Management with Group Policy
Connecting to remote machines using WS-Management
Running standard Windows commands as an administrator on remote computers
Enumerating information using Windows Management Instrumentation
Performing actions on remote computers as an administrator using WMI methods
Connecting to WS-Management 1.1 from Windows Server 2008 R2
Working with WS-Management security
Automating administration tasks using PowerShell Remoting
Enabling and using graphical remote access tools
Enabling Remote Assistance
Different types of Remote Assistance
Enabling Remote Assistance via Group Policy
Offering a computer unsolicited Remote Assistance: DCOM
Sending Remote Assistance invitations
Initiating Remote Assistance from the command line
Connecting to remote PCs using Easy Connect
Enabling Remote Assistance with Network Address Translation
Remote Desktop
Connecting to a remote computer using the Microsoft Management Console (MMC)
Configuring Windows Firewall to allow remote access
Creating a GPO for Windows Firewall in Windows 7
Importing Windows 7 Firewall rules to a GPO
Modifying the default Windows Firewall rules
Adding additional inbound exceptions for remote administration
Creating a WMI filter to restrict the scope of management to Windows 7
Linking the new GPO to the Client OU
Checking the GPO applies to Windows 7
Creating a GPO for Windows Firewall in Vista
Enabling the Remote Assistance and Remote Administration inbound exceptions for the Domain profile
Creating a WMI query for Windows Vista
Creating a GPO for Windows Firewall in Windows XP
Configuring GPO settings
Creating an exception for WS-Management
Creating an exception for Remote Desktop
Creating an exception for Remote Administration
Creating an exception for Remote Assistance
Creating a WMI filter to restrict the scope of management to Windows XP
Linking the new GPO to the Client OU
Summary
9. Deploying Software Restriction Policies and AppLocker
Controlling applications
Blocking portable applications
Securing Group Policy
Preventing users from circumventing Group Policy
Implementing Software Restriction Policy
Creating a whitelist with Software Restriction Policy
Defining hash rules
Defining path rules
Trusting software signed by a preferred publisher (Certificate Rules)
Making exceptions for IE zones (Network/Internet Zone Rule)
Creating a whitelist with Software Restriction Policy
Configuring applications to run as a standard user
AppLocker
Automatically generating AppLocker rules
Manually creating an AppLocker rule to blacklist an application
Importing and exporting AppLocker rules
Summary
10. Least Privilege in Windows XP
Installing Windows XP using the Microsoft Deployment Toolkit
Providing a Volume License product key for an MDT XP Task Sequence
Windows XP security model
Power users
Network Configuration Operators
Support_&1234&
User rights
Modifying logon rights and privileges
Logon rights
Privileges
CD burning
Third-party CD/DVD burning software
Nero Burning ROM
Installing Nero BurnRights
Configuring Nero BurnRights from the command line
Allowing non-administrative users to burn discs in CDBurnerXP
Additional security settings
Restricting access to removable media
ActiveX controls
Flash Player
Acrobat Reader
Silverlight
Other popular ActiveX controls
RealPlayer
QuickTime
Sun Java Runtime Environment
Alternatives to QuickTime and RealPlayer
Changing the system time and time zone
Changing the system time
Changing the time zone
Setting time zone registry permissions using a GPO
Power management
Managing power settings with Group Policy Preferences
Creating a GPO startup script to install GPP CSEs
Configuring power options using Group Policy Preferences
Configuring the registry for access to power settings
Managing network configuration
Configuring Restricted Groups
Identifying LUA problems using Standard User Analyzer
Summary
11. Preparing Vista and Windows 7 for Least Privilege Security
The Application Compatibility Toolkit
Application Compatibility Manager
Installing and configuring ACT
Creating a Data Collection Package
Analyzing data collected by ACT
The application attempted to store a file in a restricted location
The application attempted to store a file in a system location that was virtualized by Windows Vista
The application attempted to open a restricted registry key and write to a restricted registry location
The application attempted to store information under the HKEY_LOCAL_MACHINE\SOFTWARE registry hive
Printers and Least Privilege Security
Installing printers using Group Policy Preferences
Installing printers using Windows Server 2003 Print Management and Group Policy
Installing printers using a script
Logon scripts
Synchronizing the system time
Updating antivirus definitions
Changing protected system configuration
Mapping network drives and printers
Creating desktop shortcuts
Why do a desktop refresh from a technical perspective?
Different methods of reinstalling Windows
Manual, non-destructive install
Automated install
Reinstall Vista or Windows 7 with Least Privilege Security
Installing the Microsoft Deployment Toolkit
Creating a deployment share
Adding an operating system image
Adding core packages to our Lite Touch installation
Creating a Lite Touch task sequence
Updating our deployment share
Preserving default local group membership
Refreshing our OS with the Windows Deployment Wizard
Summary
12. Provisioning Applications on Secure Desktops with Remote Desktop Services
Introducing Remote Desktop Services
Installing Remote Desktop Session Host and Licensing roles
Controlling access to the Remote Desktop Server
Installing the Remote Desktop Gateway
Creating Connection (CAP) and Resource (RAP) Authorization Policies
Installing the RD Gateway SSL Certificate in Windows 7
Connecting to a Remote Desktop Server via an RD Gateway from Windows 7
Installing applications on Remote Desktop Servers
Publishing applications using Remote Desktop Services
Adding applications to the RemoteApp Manager
Managing Remote Desktop Services licenses
Understanding Remote Desktop Licensing
Revoking Per Device Remote Desktop Services Client Access Licences
Tracking Per User Remote Desktop Services Client Access Licences
Installing Remote Desktop Web Access
Configuring RSS for advertising RemoteApps in Windows 7
Understanding Remote Desktop and Virtual Desktop Infrastructures
Scaling with Remote Desktop Services
Summary
13. Balancing Flexibility and Security with Application Virtualization
Microsoft Application Virtualization 4.5 SP1 for Windows desktops
Isolating applications with SystemGuard
Deploying App-V
Deploying App-V using the standalone model
Deploying App-V using the streaming model
Deploying App-V using the full infrastructure
Creating a self-service system with App-V for standard users
Enforcing security descriptors
Emulating Application Programming Interface (API)
Solving App-V compatibility problems with shims
Sequencing an application for App-V
Installing the sequencer
Installing the client
Streaming applications with an App-V Server
Installing Microsoft System Center Application Virtualization Streaming Server
Deploying and managing applications for users who never connect to the corporate intranet
Updating applications and Differential Streaming
Active Update
Override URL
VMware ThinApp
Summary
14. Deploying XP Mode VMs with MED-V
Solving least privilege security problems using virtual machines
Virtual PC and Windows 7 XP Mode
Differentiating between App-V and XP Mode
Setting up Windows 7 XP Mode
Launching applications installed in XP Mode from the Windows 7 Start menu
Security concerns when running XP Mode
Microsoft Enterprise Desktop Virtualization (MED-V)
Installing MED-V 1.0 SP1
Installing the Image Repository
Installing the MED-V Server component
Installing the MED-V Management Console
Preparing a virtual machine for use with MED-V
Working with the MED-V Management Console
Importing a VM for testing
Creating a usage policy
Testing the workspace and usage policy
Packing the VM for use with the MED-V Server
Uploading the VM image to the MED-V Server
Testing the uploaded VM image
Summary
Index

Systemvoraussetzungen

Dateiformat: ePUB
Kopierschutz: Adobe-DRM (Digital Rights Management)

Systemvoraussetzungen:

Computer (Windows; MacOS X; Linux): Installieren Sie bereits vor dem Download die kostenlose Software Adobe Digital Editions (siehe E-Book Hilfe).
Tablet/Smartphone (Android; iOS): Installieren Sie bereits vor dem Download die kostenlose App Adobe Digital Editions oder die App PocketBook (siehe E-Book Hilfe).
E-Book-Reader: Bookeen, Kobo, Pocketbook, Sony, Tolino u.v.a.m. (nicht Kindle)

Das Dateiformat ePUB ist sehr gut für Romane und Sachbücher geeignet – also für „fließenden” Text ohne komplexes Layout. Bei E-Readern oder Smartphones passt sich der Zeilen- und Seitenumbruch automatisch den kleinen Displays an.
Mit Adobe-DRM wird hier ein „harter” Kopierschutz verwendet. Wenn die notwendigen Voraussetzungen nicht vorliegen, können Sie das E-Book leider nicht öffnen. Daher müssen Sie bereits vor dem Download Ihre Lese-Hardware vorbereiten.

Bitte beachten Sie: Wir empfehlen Ihnen unbedingt nach Installation der Lese-Software diese mit Ihrer persönlichen Adobe-ID zu autorisieren!

Weitere Informationen finden Sie in unserer E-Book Hilfe.

Dateiformat: PDF
Kopierschutz: Adobe-DRM (Digital Rights Management)

Systemvoraussetzungen:

Computer (Windows; MacOS X; Linux): Installieren Sie bereits vor dem Download die kostenlose Software Adobe Digital Editions (siehe E-Book Hilfe).
Tablet/Smartphone (Android; iOS): Installieren Sie bereits vor dem Download die kostenlose App Adobe Digital Editions oder die App PocketBook (siehe E-Book Hilfe).
E-Book-Reader: Bookeen, Kobo, Pocketbook, Sony, Tolino u.v.a.m. (nicht Kindle)

Das Dateiformat PDF zeigt auf jeder Hardware eine Buchseite stets identisch an. Daher ist eine PDF auch für ein komplexes Layout geeignet, wie es bei Lehr- und Fachbüchern verwendet wird (Bilder, Tabellen, Spalten, Fußnoten). Bei kleinen Displays von E-Readern oder Smartphones sind PDF leider eher nervig, weil zu viel Scrollen notwendig ist.
Mit Adobe-DRM wird hier ein „harter” Kopierschutz verwendet. Wenn die notwendigen Voraussetzungen nicht vorliegen, können Sie das E-Book leider nicht öffnen. Daher müssen Sie bereits vor dem Download Ihre Lese-Hardware vorbereiten.

Bitte beachten Sie: Wir empfehlen Ihnen unbedingt nach Installation der Lese-Software diese mit Ihrer persönlichen Adobe-ID zu autorisieren!

Weitere Informationen finden Sie in unserer E-Book Hilfe.

Als PDF speichern Als Link merken