| |
| |
Foreword | |
| |
| |
Acknowledgments | |
| |
| |
Introduction | |
| |
| |
| |
Introducing Windows Vista | |
| |
| |
| |
New Security Features | |
| |
| |
Security Development Lifecycle | |
| |
| |
Improved C++ Security | |
| |
| |
Address Space Layout Randomization | |
| |
| |
Data Execution Protection | |
| |
| |
Protected Processes | |
| |
| |
Windows Vista User Experience | |
| |
| |
Host-Based Security | |
| |
| |
Boot Changes | |
| |
| |
Boot Configuration Data | |
| |
| |
System Recovery | |
| |
| |
Startup Repair Tool | |
| |
| |
BitLocker Drive Encryption and TPM | |
| |
| |
Security Defaults | |
| |
| |
Windows Defender | |
| |
| |
Malicious Software Removal Tool | |
| |
| |
Improved Logon Architecture | |
| |
| |
LAN Manager Disabled | |
| |
| |
Better Support for Additional Authentication Methods | |
| |
| |
Session Isolation | |
| |
| |
Service Hardening | |
| |
| |
Enhanced Device Driver Experience | |
| |
| |
User-Mode Driver Framework | |
| |
| |
Portable Media Device Control | |
| |
| |
ReadyBoost Memory | |
| |
| |
User Account Control | |
| |
| |
Secure Desktop | |
| |
| |
Mandatory Integrity Control | |
| |
| |
Improved File, Folder, and Registry Protection | |
| |
| |
NTFS Changes | |
| |
| |
Creator Owners Can Be Prevented from Having Full Control | |
| |
| |
Per Socket Permissions | |
| |
| |
New Built-in Users and Groups | |
| |
| |
File and Registry Virtualization | |
| |
| |
Windows Resource Protection | |
| |
| |
Encryption Enhancements | |
| |
| |
EFS Enhancements | |
| |
| |
RMS-Integrated Client | |
| |
| |
Unix on Windows | |
| |
| |
Improved Patch Management | |
| |
| |
Hot Patching and Restart Manager | |
| |
| |
Improved Event Logs | |
| |
| |
Subscription and Forwarded Events | |
| |
| |
Task Manager | |
| |
| |
Increased Emphasis on Backup | |
| |
| |
Securing E-mail and the Internet | |
| |
| |
Windows Mail | |
| |
| |
Internet Explorer | |
| |
| |
IIS 7 | |
| |
| |
Securing Windows Networks | |
| |
| |
Enhanced Network Location Awareness | |
| |
| |
Network Map | |
| |
| |
The Rebuilt TCP/IP Stack with IPv6 | |
| |
| |
Routing Compartmentalization | |
| |
| |
Windows Firewall | |
| |
| |
Domain Isolation | |
| |
| |
Improved Wireless Security | |
| |
| |
New Peer-to-Peer Networking | |
| |
| |
SMB 2.0 | |
| |
| |
Group Policy | |
| |
| |
64-bit Only Improvements | |
| |
| |
Future Improvements | |
| |
| |
Summary | |
| |
| |
Best Practices | |
| |
| |
| |
How Hackers Attack | |
| |
| |
Malicious Exploitation | |
| |
| |
Eight Exploitation Techniques | |
| |
| |
Logon Credential Guessing/Cracking | |
| |
| |
Password Guessing | |
| |
| |
Buffer Overflow | |
| |
| |
Metasploit Framework | |
| |
| |
OS or Application Vulnerability | |
| |
| |
Privilege Escalation | |
| |
| |
Information Disclosure | |
| |
| |
Data Malformation | |
| |
| |
Unintended Consequences | |
| |
| |
OS or Application Misconfiguration | |
| |
| |
Eavesdropping/Man-in-the-Middle Attack | |
| |
| |
Denial of Service Attack | |
| |
| |
Client-Side Attack | |
| |
| |
Social Engineering | |
| |
| |
Dedicated Hacker Methodology | |
| |
| |
Automated Malware | |
| |
| |
Computer Virus | |
| |
| |
Computer Worm | |
| |
| |
Trojan Horse Program | |
| |
| |
Bot | |
| |
| |
Spyware | |
| |
| |
Adware | |
| |
| |
Where Windows Malware Hides | |
| |
| |
Why Malicious Hackers Hack | |
| |
| |
Summary | |
| |
| |
| |
Windows Infrastructure | |
| |
| |
Boot Sequence | |
| |
| |
Boot Viruses No Longer a Threat | |
| |
| |
BitLocker Volume Encryption | |
| |
| |
Enabling TPM and BitLocker | |
| |
| |
Post-Boot Startup | |
| |
| |
Applying Security Policy | |
| |
| |
Name Resolution | |
| |
| |
NetBIOS Name Resolution Is Often Required | |
| |
| |
User Profiles | |
| |
| |
Services | |
| |
| |
Services You Need To Understand | |
| |
| |
Svchost | |
| |
| |
RPC | |
| |
| |
SMB/CIFS | |
| |
| |
Computer Browser, Workstation, and Server Service | |
| |
| |
Autorun Programs | |
| |
| |
Registry | |
| |
| |
Registry Structure | |
| |
| |
HKey_Local_Machine Hive | |
| |
| |
HKey_Classes_Root | |
| |
| |
HKey_Current_Users | |
| |
| |
HKey_Users | |
| |
| |
HK_Current Config | |
| |
| |
Logon Authentication | |
| |
| |
Identity | |
| |
| |
Authentication | |
| |
| |
Computer Accounts | |
| |
| |
Password Storage | |
| |
| |
Authentication Protocols | |
| |
| |
SAM Versus Active Directory | |
| |
| |
Cache Credentials | |
| |
| |
Access Control | |
| |
| |
Share Versus NTFS Permissions | |
| |
| |
Impersonation Versus Delegation | |
| |
| |
Integrity Controls | |
| |
| |
Summary | |
| |
| |
| |
Host-Based Security | |
| |
| |
| |
User Account Control | |
| |
| |
Introduction | |
| |
| |
Basics | |
| |
| |
Security Identifiers | |
| |
| |
Security Token | |
| |
| |
The Case for Least Privilege | |
| |
| |
Admins Are Omnipotent | |
| |
| |
User Account Control Is More Than You Think | |
| |
| |
Elevation | |
| |
| |
Non-Admin Elevation | |
| |
| |
Special Topics in Elevation | |
| |
| |
New Privileges to Delegate Common Tasks | |
| |
| |
Application Factoring | |
| |
| |
Virtualization | |
| |
| |
Integrity Labels and Low Rights Apps | |
| |
| |
Special Treatment of Built-in Administrator | |
| |
| |
No More Power Users | |
| |
| |
UAC and Remote Access | |
| |
| |
SMB Access | |
| |
| |
Remote Desktop and Remote Assistance | |
| |
| |
UAC Policy Configuration | |
| |
| |
User Account Control: AdminApproval Mode for the Built-in Administrator Account | |
| |
| |
User Account Control: Behavior of the Elevation Prompt for Administrators in Admin Approval Mode | |
| |
| |
User Account Control: Behavior of the Elevation Prompt for Standard Users | |
| |
| |
User Account Control: Detect Application Installations and Prompt for Elevation | |
| |
| |
User Account Control: Only Elevate Executables that Are Signed and Validated | |
| |
| |
User Account Control: Only Elevate UIAccess Applications that Are Installed in Secure Locations | |
| |
| |
User Account Control: Run All Administrators in Admin Approval Mode | |
| |
| |
User Account Control: Switch to the Secure Desktop when Prompting for Elevation | |
| |
| |
User Account Control: Virtualize File and Registry Write Failures to Per-User Locations | |
| |
| |
Frequently Asked Questions About UAC | |
| |
| |
Why Can't I Access My Files? | |
| |
| |
Why Can't I Delete Stuff If I Elevate Windows Explorer? | |
| |
| |
How Do I Disable UAC? | |
| |
| |
What Happens If I Turn Off UAC? | |
| |
| |
What Access Do Low Processes Have to High Processes? | |
| |
| |
Why Does the Screen Have to Go Black? | |
| |
| |
I Don't Need UAC; Can I Just Enable It for Other Users? | |
| |
| |
What About Remote Access? | |
| |
| |
Why Isn't UAC More Like Sudo? | |
| |
| |
How Do I Audit Elevation? | |
| |
| |
Leveraging User Account Control in Applications | |
| |
| |
Application Manifests | |
| |
| |
Elevating Installers | |
| |
| |
Elevating in Scripts | |
| |
| |
The Elevate Tool | |
| |
| |
Elevated Command Prompt | |
| |
| |
Summary | |
| |
| |
Best Practices | |
| |
| |
| |
Managing Access Control | |
| |
| |
Access Control Terminology | |
| |
| |
Securable Object | |
| |
| |
Access Control List | |
| |
| |
Security Descriptor | |
| |
| |
Access Control List Entry | |
| |
| |
ACL Representations | |
| |
| |
Inheritance | |
| |
| |
How an Access Control List Is Used | |
| |
| |
Major Access Control List Changes in Vista | |
| |
| |
Least Privilege | |
| |
| |
New and Modified Users and Groups | |
| |
| |
Administrator - Disabled By Default | |
| |
| |
Power Users Permissions Removed | |
| |
| |
Trusted Installer | |
| |
| |
Help and Support Accounts Removed | |
| |
| |
New Network Location SIDs | |
| |
| |
OWNER_RIGHT and Owner Rights | |
| |
| |
Default ACLs | |
| |
| |
Trusted Installer | |
| |
| |
Deny ACEs | |
| |
| |
Default Permissions | |
| |
| |
Share Security | |
| |
| |
Changes to Token | |
| |
| |
Integrity Levels | |
| |
| |
Tools to Manage Access Control Lists | |
| |
| |
Cacls and Icacls | |
| |
| |
Save ACLs | |
| |
| |
Restore ACLs | |
| |
| |
Substitute SIDs | |
| |
| |
Change Owner | |
| |
| |
Find All Aces Granted to a Particular User | |
| |
| |
Resetting ACLs | |
| |
| |
Grant/Deny/Remove | |
| |
| |
Set Integrity Level | |
| |
| |
ACL UI | |
| |
| |
Other Tools | |
| |
| |
Registry ACLs | |
| |
| |
Summary | |
| |
| |
Best Practices | |
| |
| |
| |
Application Security | |
| |
| |
Client Security | |
| |
| |
Service Hardening | |
| |
| |
Service SID | |
| |
| |
Services Running with Less Privilege | |
| |
| |
Reduction of Privileges in Services | |
| |
| |
Write Restricted Tokens | |
| |
| |
Firewall Policies Restricting Services | |
| |
| |
Named Pipes Hardening | |
| |
| |
Windows Resource Protection | |
| |
| |
Session 0 Isolation | |
| |
| |
Sessions | |
| |
| |
Window Stations | |
| |
| |
Desktops | |
| |
| |
Why Session Isolation Is Needed | |
| |
| |
How Session 0 Isolation Works | |
| |
| |
Reducing the Footprint | |
| |
| |
No Longer Installed by Default | |
| |
| |
Gone Altogether | |
| |
| |
Added Instead | |
| |
| |
It Should Have Been Gone | |
| |
| |
Restart Manager | |
| |
| |
ActiveX Installer Service | |
| |
| |
Antivirus | |
| |
| |
Desktop Optimization Pack | |
| |
| |
Summary | |
| |
| |
Best Practices | |
| |
| |
| |
Vista Client Protection | |
| |
| |
Popularity of Client-Side Attacks | |
| |
| |
Malicious Software Removal Tool | |
| |
| |
Security Center | |
| |
| |
Windows Defender | |
| |
| |
Windows Live OneCare | |
| |
| |
Microsoft Forefront Client Security | |
| |
| |
Should Microsoft Be in the Anti-Malware Business? | |
| |
| |
Summary | |
| |
| |
Best Practices | |
| |
| |
| |
Securing Internet and E-mail Access | |
| |
| |
| |
Securing Internet Explorer | |
| |
| |
Should You Use Another Browser? | |
| |
| |
New IE 7.0 Security Features | |
| |
| |
Protected Mode | |
| |
| |
New Low Integrity Folders and Registry Keys | |
| |
| |
IE Compatibility Shims | |
| |
| |
Protected Mode's Impact on Malware and Hackers | |
| |
| |
Anti-Phishing Filter | |
| |
| |
Add-on Management | |
| |
| |
Improved ActiveX Control Handling | |
| |
| |
Improved Digital Certificate Handling and Encryption | |
| |
| |
Improved URL Handling Protections | |
| |
| |
CardSpace | |
| |
| |
Internet Explorer Security Settings | |
| |
| |
Security Zones | |
| |
| |
Local Computer Zone | |
| |
| |
Internet Site Zone | |
| |
| |
Local Intranet Zone | |
| |
| |
Trusted Sites Zone | |
| |
| |
Restricted Sites Zone | |
| |
| |
Zone Security Settings | |
| |
| |
.NET Framework - Loose XAML | |
| |
| |
.NET Framework - XAML Browser Applications | |
| |
| |
.NET Framework - XPS Documents | |
| |
| |
.NET Framework-Reliant Components - Run Components Not Signed with Authenticode | |
| |
| |
.NET Framework-Reliant Components - Run Components Signed with Authenticode | |
| |
| |
ActiveX Controls and Plug-Ins - Allow Previously Unused ActiveX Controls to Run Without Prompting | |
| |
| |
ActiveX Controls and Plug-Ins - Allow Scriptlets | |
| |
| |
ActiveX Controls and Plug-Ins - Automatic Prompting for ActiveX Controls | |
| |
| |
ActiveX Controls and Plug-Ins - Binary and Script Behaviors | |
| |
| |
ActiveX Controls and Plug-Ins - Display Video and Animation on a Web Page That Does Not Use External Media Player | |
| |
| |
ActiveX Controls and Plug-Ins - Download Signed ActiveX Controls | |
| |
| |
ActiveX Controls and Plug-Ins - Download Unsigned ActiveX Controls | |
| |
| |
ActiveX Controls and Plug-Ins - Initialize and Script ActiveX Controls Not Marked as Safe for Scripting | |
| |
| |
ActiveX Controls and Plug-Ins - Run ActiveX Controls and Plug-Ins | |
| |
| |
ActiveX Controls and Plug-Ins - Script ActiveX Controls Marked Safe for Scripting | |
| |
| |
Downloads - Automatic Prompting for File Downloads | |
| |
| |
Downloads - File Download | |
| |
| |
Downloads - Font Download | |
| |
| |
Enable .Net Framework Setup | |
| |
| |
Java VM-Java Permissions | |
| |
| |
Miscellaneous - Access Data Sources Across Domains | |
| |
| |
Miscellaneous - Allow META REFRESH | |
| |
| |
Miscellaneous - Allow Scripting of Internet Explorer Web Browser Control | |
| |
| |
Miscellaneous - Allow Script-Initiated Windows Without Size or Position Constraints | |
| |
| |
Miscellaneous - Allow Web Pages to Use Restricted Protocols for Active Content | |
| |
| |
Miscellaneous - Allow Websites to Open Windows Without Address or Status Bars | |
| |
| |
Miscellaneous - Display Mixed Content | |
| |
| |
Miscellaneous - Don't Prompt for Client Certificate Selection When No Certificates or Only One Certificate Exists | |
| |
| |
Miscellaneous - Drag and Drop or Copy and Paste Files | |
| |
| |
Miscellaneous - Include Local Directory Path When Uploading Files to a Server | |
| |
| |
Miscellaneous - Installation of Desktop Items | |
| |
| |
Miscellaneous - Launching Applications and Unsafe Files | |
| |
| |
Miscellaneous - Launching Programs and Files in an Iframe | |
| |
| |
Miscellaneous - Navigate Sub-Frames Across Different Domains | |
| |
| |
Miscellaneous - Open Files Based on Content, Not File Extension | |
| |
| |
Miscellaneous - Software Channel Permissions | |
| |
| |
Miscellaneous - Submit Non-Encrypted Form Data | |
| |
| |
Miscellaneous - Use Phishing Filter | |
| |
| |
Miscellaneous - Use Pop-Up Blocker | |
| |
| |
Miscellaneous - Userdata Persistence | |
| |
| |
Miscellaneous - Web Sites in Less Privileged Web Content Zone Can Navigate into This Zone | |
| |
| |
Scripting - Active Scripting | |
| |
| |
Scripting - Allow Programmatic Clipboard Access | |
| |
| |
Scripting - Allow Status Bar Updates Via Script | |
| |
| |
Scripting - Allow Websites to Prompt for Information Using Scripted Window | |
| |
| |
Scripting - Scripting of Java Applets | |
| |
| |
User Authentication | |
| |
| |
IE Advanced Settings | |
| |
| |
Browsing - Disable Script Debugging (Internet Explorer or Other) | |
| |
| |
Browsing - Display a Notification About Every Script Error | |
| |
| |
Browsing - Enable Third-Party Extensions | |
| |
| |
Browsing - Use Inline Autocomplete | |
| |
| |
International - Send UTF-8 URLS | |
| |
| |
Java (or Java-Sun) - Use JRE x.x for [left angle bracket]applet[right angle bracket] | |
| |
| |
Security - Allow Active Content from CDs to Run on My Computer | |
| |
| |
Security - Allow Active Content to Run in Files on My Computer | |
| |
| |
Security - Allow Software to Run or Install Even If the Signature Is Invalid | |
| |
| |
Security - Check for Publisher's Certificate Revocation | |
| |
| |
Security - Check for Server Certificate Revocation | |
| |
| |
Security - Check for Signatures on Downloaded Programs | |
| |
| |
Security - Do Not Save Encrypted Pages to Disk | |
| |
| |
Security - Empty Temporary Internet Files Folder When Browser Is Closed | |
| |
| |
Enable Memory Protection to Help Mitigate Online Attacks | |
| |
| |
Security - Enable Integrated Windows Authentication | |
| |
| |
Security - Phishing Filter Settings | |
| |
| |
Security - Use SSL 2.0, SSL 3.0, TLS 1.0 | |
| |
| |
Security - Warn About Invalid Site Certificates | |
| |
| |
Security - Warn If Changing Between Secure and Not Secure Mode | |
| |
| |
Security - Warn If Forms Submittal Is Being Redirected | |
| |
| |
Other Browser Recommendations | |
| |
| |
Don't Browse Untrusted Web Sites | |
| |
| |
Keep IE Patches Updated | |
| |
| |
Will Internet Explorer 7 Be Hacked A Lot? | |
| |
| |
Summary | |
| |
| |
Best Practices | |
| |
| |
| |
Introducing IIS 7 | |
| |
| |
Web Server Threats | |
| |
| |
Application Vulnerabilities | |
| |
| |
OS Vulnerabilities | |
| |
| |
Back-End Database Issues | |
| |
| |
Protocol Vulnerabilities | |
| |
| |
Buffer Overflows | |
| |
| |
Directory Traversal Attacks | |
| |
| |
Sniffing Attacks | |
| |
| |
Denial of Service | |
| |
| |
Password Guessing Attacks | |
| |
| |
Introduction to IIS | |
| |
| |
New IIS Features | |
| |
| |
Installing IIS 7 | |
| |
| |
IIS Components | |
| |
| |
IIS Protocol Listeners | |
| |
| |
HTTP.SYS | |
| |
| |
Net.TCP | |
| |
| |
Net.Pipe | |
| |
| |
Net.P2P | |
| |
| |
Net.MSMQ | |
| |
| |
Worker Processes, Application Pools, and Identities | |
| |
| |
Worker Processes | |
| |
| |
Application Pools | |
| |
| |
Application Pool Identities | |
| |
| |
IUSR and IIS_USRS | |
| |
| |
IIS Administration | |
| |
| |
Feature Delegation | |
| |
| |
IIS Authentication | |
| |
| |
Anonymous Authentication | |
| |
| |
ASP.NET Impersonation | |
| |
| |
Basic Authentication | |
| |
| |
Digest Authentication | |
| |
| |
Forms Authentication | |
| |
| |
Windows Authentication | |
| |
| |
Client Side Mapping | |
| |
| |
Web Server Access Control Permissions | |
| |
| |
IIS Handler Permissions | |
| |
| |
NTFS Permissions | |
| |
| |
Defending IIS | |
| |
| |
Step Summary | |
| |
| |
Configuring Network/Perimeter Security | |
| |
| |
Ensuring Physical Security | |
| |
| |
Installing Updated Hardware Drivers | |
| |
| |
Installing an Operating System | |
| |
| |
Configuring a Host Firewall | |
| |
| |
Configuring Remote Administration | |
| |
| |
Installing IIS in a Minimal Configuration | |
| |
| |
Installing Patches | |
| |
| |
Hardening the Operating System | |
| |
| |
Configuring and Tightening IIS | |
| |
| |
Installing Additional IIS Features | |
| |
| |
IIS 7 Modules | |
| |
| |
Minimizing Web Components Even Further | |
| |
| |
Feature Delegation | |
| |
| |
Strengthening NTFS Permissions | |
| |
| |
Configuring Request Filtering | |
| |
| |
Securing Web Sites | |
| |
| |
Hardening NTFS Permissions | |
| |
| |
Web Site IP Settings | |
| |
| |
Application Pool Changes | |
| |
| |
Cleaning and Testing | |
| |
| |
Installing and Securing Applications | |
| |
| |
Conducting Penetration Tests | |
| |
| |
Deploying to Production | |
| |
| |
Monitoring Log Files | |
| |
| |
Summary | |
| |
| |
| |
Protecting E-mail | |
| |
| |
E-mail Threats | |
| |
| |
Malicious File Attachments | |
| |
| |
File Extension Tricks | |
| |
| |
Embedded Content | |
| |
| |
Embedded Links | |
| |
| |
Leaked Passwords | |
| |
| |
Other Miscellaneous E-mail Threats | |
| |
| |
Introducing Windows Mail | |
| |
| |
Phishing Detection | |
| |
| |
Improved Junk Mail Detection | |
| |
| |
Sender White Lists and Black Lists | |
| |
| |
Top-Level Domain Blocking | |
| |
| |
Simplified E-mail Storage | |
| |
| |
E-mail Defenses | |
| |
| |
Convert All E-mail to Plain-text | |
| |
| |
Execute All HTML Content in the Restricted Zone | |
| |
| |
Disable Automatic Downloading of HTML Content | |
| |
| |
Filter Out Dangerous File Attachments | |
| |
| |
Install Anti-Malware Software | |
| |
| |
Disable Plain-Text Passwords | |
| |
| |
Summary | |
| |
| |
Best Practices | |
| |
| |
| |
Securing Windows Networks | |
| |
| |
| |
Managing Windows Firewall | |
| |
| |
New Features | |
| |
| |
Windows Filtering Platform | |
| |
| |
IPv6 | |
| |
| |
Integration with IPsec | |
| |
| |
Stealth | |
| |
| |
Boot Time Filtering | |
| |
| |
Strict Source Mapping | |
| |
| |
Service Hardening and the Firewall | |
| |
| |
IPv6 | |
| |
| |
Outbound Filtering | |
| |
| |
How Much Security Can Outbound Filtering Provide? | |
| |
| |
Firewall Management | |
| |
| |
Firewall Profiles | |
| |
| |
Management Interfaces | |
| |
| |
Windows Firewall Control Panel | |
| |
| |
Security Center | |
| |
| |
Windows Firewall with Advanced Security | |
| |
| |
Group Policy Editor | |
| |
| |
Netsh | |
| |
| |
Application Programming Interfaces | |
| |
| |
Rule Types | |
| |
| |
Directional Rules | |
| |
| |
Connection Security Rules | |
| |
| |
When to Use Which Rules | |
| |
| |
Rule Precedence | |
| |
| |
Firewall Scenarios | |
| |
| |
Restricting Access Based on End-Point | |
| |
| |
Blocking Outbound SMB in Public Profile | |
| |
| |
Allowing Management Traffic via VPN | |
| |
| |
Managing Firewall in a Mixed or Down-Level Environment | |
| |
| |
RPC | |
| |
| |
Summary | |
| |
| |
Best Practices | |
| |
| |
| |
Server and Domain Isolation | |
| |
| |
Server and Domain Isolation Overview | |
| |
| |
Domain Isolation | |
| |
| |
Server Isolation | |
| |
| |
Forget About the Perimeter | |
| |
| |
Network Threat Modeling | |
| |
| |
Changes in Windows Vista Affecting SDI | |
| |
| |
AuthIP | |
| |
| |
Client-to-DC IPsec | |
| |
| |
Authentication with Multiple Credentials | |
| |
| |
Improved Negotiation Flow | |
| |
| |
Vastly Improved Configuration User Interface | |
| |
| |
Domain Isolation Rules | |
| |
| |
Server Isolation Rules | |
| |
| |
Summary | |
| |
| |
Best Practices | |
| |
| |
| |
Wireless Security | |
| |
| |
Wi-Fi Terminology and Technologies | |
| |
| |
Wi-Fi Standards | |
| |
| |
Infrastructure versus Ad-Hoc Mode | |
| |
| |
Wi-Fi Standards | |
| |
| |
Wi-Fi Security Standards | |
| |
| |
Wired Equivalent Privacy | |
| |
| |
Wi-Fi Protected Access/802.11i | |
| |
| |
Wireless Threats | |
| |
| |
Eavesdropping | |
| |
| |
Unauthorized Access | |
| |
| |
Bypassing of Traditional Defenses | |
| |
| |
Malware Injection | |
| |
| |
Denial of Service Attacks | |
| |
| |
New Wireless Improvements in Vista | |
| |
| |
Securing Wireless Networks | |
| |
| |
802.11 Legacy Wireless Security Recommendations | |
| |
| |
Changing Access Point's Default SSID | |
| |
| |
Enabling MAC Filtering | |
| |
| |
Disabling DHCP on the Access Point | |
| |
| |
Requiring User Authentication Passwords | |
| |
| |
Turning Off SSID Broadcasting | |
| |
| |
Changing an Access Point's Default Administrator Password | |
| |
| |
WEP | |
| |
| |
VPN Protocols | |
| |
| |
Using WPA | |
| |
| |
Using WPA2/802.11i | |
| |
| |
Summary | |
| |
| |
Best Practices | |
| |
| |
| |
Group Policy and Best Practices | |
| |
| |
| |
Using Group Policy | |
| |
| |
New Group Policy Features | |
| |
| |
Multiple Local Group Policies | |
| |
| |
Group Policy Precedence | |
| |
| |
Using MLGPOs in a Domain Environment | |
| |
| |
Difference between Local GPOs and Domain GPOs | |
| |
| |
New Administrative Template Format | |
| |
| |
Template Embedding | |
| |
| |
Migrating to ADMX | |
| |
| |
Client-Side Pulling and Network Location Awareness | |
| |
| |
Updated Group Policy Features | |
| |
| |
Group Policy Management Console v. 2.0 | |
| |
| |
Internet Explorer Management Without IEAK | |
| |
| |
Group Policy Application Factored from Winlogon | |
| |
| |
Group Policy Logging Moved to System Event Log | |
| |
| |
New or Updated Group Policy Settings | |
| |
| |
New Security Options | |
| |
| |
Security Options with Modified Defaults | |
| |
| |
Removed Security Options | |
| |
| |
New Administrative Template Settings | |
| |
| |
Settings That Require Reboot or Logon | |
| |
| |
Windows Vista Security Guide | |
| |
| |
Do You Need the Vista Security Guide? | |
| |
| |
What Is Good in the Vista Security Guide | |
| |
| |
What Could Have Been Better in the Vista Security Guide | |
| |
| |
Importance of the Guide | |
| |
| |
Active Directory Schema Updates | |
| |
| |
Managing Group Policy in a Mixed Environment | |
| |
| |
Rollout Strategy | |
| |
| |
Logon Scripts Fail Because of UAC | |
| |
| |
Using Group Policy in a NAP Environment | |
| |
| |
Summary | |
| |
| |
Best Practices | |
| |
| |
| |
Thinking about Security | |
| |
| |
It Still Comes Down to Risk Management | |
| |
| |
Jesper's Position | |
| |
| |
Roger's Position | |
| |
| |
Enterprise Risk Management | |
| |
| |
The Three-Step Approach to Security | |
| |
| |
Keep 'em Off the Box | |
| |
| |
Keep 'em from Running | |
| |
| |
Keep 'em from Communicating | |
| |
| |
Thinking Differently about Security | |
| |
| |
The Top 2 (+ or -1, or so) Client Security Hacks | |
| |
| |
Jesper's Thoughts | |
| |
| |
Roger's Thoughts | |
| |
| |
Anti-Malware Is Not a Panacea | |
| |
| |
Jesper's Thoughts | |
| |
| |
Roger's Thoughts | |
| |
| |
Tweaking It | |
| |
| |
Security Tweaks You Should Make | |
| |
| |
Turn on DEP for Internet Explorer | |
| |
| |
Security Tweaks You Shouldn't Make | |
| |
| |
Agreeing to Disagree | |
| |
| |
Jesper's Position | |
| |
| |
Roger's Position | |
| |
| |
Wetware | |
| |
| |
Summary | |
| |
| |
Best Practices | |
| |
| |
| |
Building a Windows PE Boot Disk | |
| |
| |
Building a WinPE Bootable USB Flash Drive | |
| |
| |
Downloading WAIK | |
| |
| |
Building the WinPE Image | |
| |
| |
| |
References | |
| |
| |
Index | |