| |
| |
| Foreword | |
| |
| |
| Acknowledgments | |
| |
| |
| Introduction | |
| |
| |
| |
| Introducing Windows Vista | |
| |
| |
| |
| New Security Features | |
| |
| |
| Security Development Lifecycle | |
| |
| |
| Improved C++ Security | |
| |
| |
| Address Space Layout Randomization | |
| |
| |
| Data Execution Protection | |
| |
| |
| Protected Processes | |
| |
| |
| Windows Vista User Experience | |
| |
| |
| Host-Based Security | |
| |
| |
| Boot Changes | |
| |
| |
| Boot Configuration Data | |
| |
| |
| System Recovery | |
| |
| |
| Startup Repair Tool | |
| |
| |
| BitLocker Drive Encryption and TPM | |
| |
| |
| Security Defaults | |
| |
| |
| Windows Defender | |
| |
| |
| Malicious Software Removal Tool | |
| |
| |
| Improved Logon Architecture | |
| |
| |
| LAN Manager Disabled | |
| |
| |
| Better Support for Additional Authentication Methods | |
| |
| |
| Session Isolation | |
| |
| |
| Service Hardening | |
| |
| |
| Enhanced Device Driver Experience | |
| |
| |
| User-Mode Driver Framework | |
| |
| |
| Portable Media Device Control | |
| |
| |
| ReadyBoost Memory | |
| |
| |
| User Account Control | |
| |
| |
| Secure Desktop | |
| |
| |
| Mandatory Integrity Control | |
| |
| |
| Improved File, Folder, and Registry Protection | |
| |
| |
| NTFS Changes | |
| |
| |
| Creator Owners Can Be Prevented from Having Full Control | |
| |
| |
| Per Socket Permissions | |
| |
| |
| New Built-in Users and Groups | |
| |
| |
| File and Registry Virtualization | |
| |
| |
| Windows Resource Protection | |
| |
| |
| Encryption Enhancements | |
| |
| |
| EFS Enhancements | |
| |
| |
| RMS-Integrated Client | |
| |
| |
| Unix on Windows | |
| |
| |
| Improved Patch Management | |
| |
| |
| Hot Patching and Restart Manager | |
| |
| |
| Improved Event Logs | |
| |
| |
| Subscription and Forwarded Events | |
| |
| |
| Task Manager | |
| |
| |
| Increased Emphasis on Backup | |
| |
| |
| Securing E-mail and the Internet | |
| |
| |
| Windows Mail | |
| |
| |
| Internet Explorer | |
| |
| |
| IIS 7 | |
| |
| |
| Securing Windows Networks | |
| |
| |
| Enhanced Network Location Awareness | |
| |
| |
| Network Map | |
| |
| |
| The Rebuilt TCP/IP Stack with IPv6 | |
| |
| |
| Routing Compartmentalization | |
| |
| |
| Windows Firewall | |
| |
| |
| Domain Isolation | |
| |
| |
| Improved Wireless Security | |
| |
| |
| New Peer-to-Peer Networking | |
| |
| |
| SMB 2.0 | |
| |
| |
| Group Policy | |
| |
| |
| 64-bit Only Improvements | |
| |
| |
| Future Improvements | |
| |
| |
| Summary | |
| |
| |
| Best Practices | |
| |
| |
| |
| How Hackers Attack | |
| |
| |
| Malicious Exploitation | |
| |
| |
| Eight Exploitation Techniques | |
| |
| |
| Logon Credential Guessing/Cracking | |
| |
| |
| Password Guessing | |
| |
| |
| Buffer Overflow | |
| |
| |
| Metasploit Framework | |
| |
| |
| OS or Application Vulnerability | |
| |
| |
| Privilege Escalation | |
| |
| |
| Information Disclosure | |
| |
| |
| Data Malformation | |
| |
| |
| Unintended Consequences | |
| |
| |
| OS or Application Misconfiguration | |
| |
| |
| Eavesdropping/Man-in-the-Middle Attack | |
| |
| |
| Denial of Service Attack | |
| |
| |
| Client-Side Attack | |
| |
| |
| Social Engineering | |
| |
| |
| Dedicated Hacker Methodology | |
| |
| |
| Automated Malware | |
| |
| |
| Computer Virus | |
| |
| |
| Computer Worm | |
| |
| |
| Trojan Horse Program | |
| |
| |
| Bot | |
| |
| |
| Spyware | |
| |
| |
| Adware | |
| |
| |
| Where Windows Malware Hides | |
| |
| |
| Why Malicious Hackers Hack | |
| |
| |
| Summary | |
| |
| |
| |
| Windows Infrastructure | |
| |
| |
| Boot Sequence | |
| |
| |
| Boot Viruses No Longer a Threat | |
| |
| |
| BitLocker Volume Encryption | |
| |
| |
| Enabling TPM and BitLocker | |
| |
| |
| Post-Boot Startup | |
| |
| |
| Applying Security Policy | |
| |
| |
| Name Resolution | |
| |
| |
| NetBIOS Name Resolution Is Often Required | |
| |
| |
| User Profiles | |
| |
| |
| Services | |
| |
| |
| Services You Need To Understand | |
| |
| |
| Svchost | |
| |
| |
| RPC | |
| |
| |
| SMB/CIFS | |
| |
| |
| Computer Browser, Workstation, and Server Service | |
| |
| |
| Autorun Programs | |
| |
| |
| Registry | |
| |
| |
| Registry Structure | |
| |
| |
| HKey_Local_Machine Hive | |
| |
| |
| HKey_Classes_Root | |
| |
| |
| HKey_Current_Users | |
| |
| |
| HKey_Users | |
| |
| |
| HK_Current Config | |
| |
| |
| Logon Authentication | |
| |
| |
| Identity | |
| |
| |
| Authentication | |
| |
| |
| Computer Accounts | |
| |
| |
| Password Storage | |
| |
| |
| Authentication Protocols | |
| |
| |
| SAM Versus Active Directory | |
| |
| |
| Cache Credentials | |
| |
| |
| Access Control | |
| |
| |
| Share Versus NTFS Permissions | |
| |
| |
| Impersonation Versus Delegation | |
| |
| |
| Integrity Controls | |
| |
| |
| Summary | |
| |
| |
| |
| Host-Based Security | |
| |
| |
| |
| User Account Control | |
| |
| |
| Introduction | |
| |
| |
| Basics | |
| |
| |
| Security Identifiers | |
| |
| |
| Security Token | |
| |
| |
| The Case for Least Privilege | |
| |
| |
| Admins Are Omnipotent | |
| |
| |
| User Account Control Is More Than You Think | |
| |
| |
| Elevation | |
| |
| |
| Non-Admin Elevation | |
| |
| |
| Special Topics in Elevation | |
| |
| |
| New Privileges to Delegate Common Tasks | |
| |
| |
| Application Factoring | |
| |
| |
| Virtualization | |
| |
| |
| Integrity Labels and Low Rights Apps | |
| |
| |
| Special Treatment of Built-in Administrator | |
| |
| |
| No More Power Users | |
| |
| |
| UAC and Remote Access | |
| |
| |
| SMB Access | |
| |
| |
| Remote Desktop and Remote Assistance | |
| |
| |
| UAC Policy Configuration | |
| |
| |
| User Account Control: AdminApproval Mode for the Built-in Administrator Account | |
| |
| |
| User Account Control: Behavior of the Elevation Prompt for Administrators in Admin Approval Mode | |
| |
| |
| User Account Control: Behavior of the Elevation Prompt for Standard Users | |
| |
| |
| User Account Control: Detect Application Installations and Prompt for Elevation | |
| |
| |
| User Account Control: Only Elevate Executables that Are Signed and Validated | |
| |
| |
| User Account Control: Only Elevate UIAccess Applications that Are Installed in Secure Locations | |
| |
| |
| User Account Control: Run All Administrators in Admin Approval Mode | |
| |
| |
| User Account Control: Switch to the Secure Desktop when Prompting for Elevation | |
| |
| |
| User Account Control: Virtualize File and Registry Write Failures to Per-User Locations | |
| |
| |
| Frequently Asked Questions About UAC | |
| |
| |
| Why Can't I Access My Files? | |
| |
| |
| Why Can't I Delete Stuff If I Elevate Windows Explorer? | |
| |
| |
| How Do I Disable UAC? | |
| |
| |
| What Happens If I Turn Off UAC? | |
| |
| |
| What Access Do Low Processes Have to High Processes? | |
| |
| |
| Why Does the Screen Have to Go Black? | |
| |
| |
| I Don't Need UAC; Can I Just Enable It for Other Users? | |
| |
| |
| What About Remote Access? | |
| |
| |
| Why Isn't UAC More Like Sudo? | |
| |
| |
| How Do I Audit Elevation? | |
| |
| |
| Leveraging User Account Control in Applications | |
| |
| |
| Application Manifests | |
| |
| |
| Elevating Installers | |
| |
| |
| Elevating in Scripts | |
| |
| |
| The Elevate Tool | |
| |
| |
| Elevated Command Prompt | |
| |
| |
| Summary | |
| |
| |
| Best Practices | |
| |
| |
| |
| Managing Access Control | |
| |
| |
| Access Control Terminology | |
| |
| |
| Securable Object | |
| |
| |
| Access Control List | |
| |
| |
| Security Descriptor | |
| |
| |
| Access Control List Entry | |
| |
| |
| ACL Representations | |
| |
| |
| Inheritance | |
| |
| |
| How an Access Control List Is Used | |
| |
| |
| Major Access Control List Changes in Vista | |
| |
| |
| Least Privilege | |
| |
| |
| New and Modified Users and Groups | |
| |
| |
| Administrator - Disabled By Default | |
| |
| |
| Power Users Permissions Removed | |
| |
| |
| Trusted Installer | |
| |
| |
| Help and Support Accounts Removed | |
| |
| |
| New Network Location SIDs | |
| |
| |
| OWNER_RIGHT and Owner Rights | |
| |
| |
| Default ACLs | |
| |
| |
| Trusted Installer | |
| |
| |
| Deny ACEs | |
| |
| |
| Default Permissions | |
| |
| |
| Share Security | |
| |
| |
| Changes to Token | |
| |
| |
| Integrity Levels | |
| |
| |
| Tools to Manage Access Control Lists | |
| |
| |
| Cacls and Icacls | |
| |
| |
| Save ACLs | |
| |
| |
| Restore ACLs | |
| |
| |
| Substitute SIDs | |
| |
| |
| Change Owner | |
| |
| |
| Find All Aces Granted to a Particular User | |
| |
| |
| Resetting ACLs | |
| |
| |
| Grant/Deny/Remove | |
| |
| |
| Set Integrity Level | |
| |
| |
| ACL UI | |
| |
| |
| Other Tools | |
| |
| |
| Registry ACLs | |
| |
| |
| Summary | |
| |
| |
| Best Practices | |
| |
| |
| |
| Application Security | |
| |
| |
| Client Security | |
| |
| |
| Service Hardening | |
| |
| |
| Service SID | |
| |
| |
| Services Running with Less Privilege | |
| |
| |
| Reduction of Privileges in Services | |
| |
| |
| Write Restricted Tokens | |
| |
| |
| Firewall Policies Restricting Services | |
| |
| |
| Named Pipes Hardening | |
| |
| |
| Windows Resource Protection | |
| |
| |
| Session 0 Isolation | |
| |
| |
| Sessions | |
| |
| |
| Window Stations | |
| |
| |
| Desktops | |
| |
| |
| Why Session Isolation Is Needed | |
| |
| |
| How Session 0 Isolation Works | |
| |
| |
| Reducing the Footprint | |
| |
| |
| No Longer Installed by Default | |
| |
| |
| Gone Altogether | |
| |
| |
| Added Instead | |
| |
| |
| It Should Have Been Gone | |
| |
| |
| Restart Manager | |
| |
| |
| ActiveX Installer Service | |
| |
| |
| Antivirus | |
| |
| |
| Desktop Optimization Pack | |
| |
| |
| Summary | |
| |
| |
| Best Practices | |
| |
| |
| |
| Vista Client Protection | |
| |
| |
| Popularity of Client-Side Attacks | |
| |
| |
| Malicious Software Removal Tool | |
| |
| |
| Security Center | |
| |
| |
| Windows Defender | |
| |
| |
| Windows Live OneCare | |
| |
| |
| Microsoft Forefront Client Security | |
| |
| |
| Should Microsoft Be in the Anti-Malware Business? | |
| |
| |
| Summary | |
| |
| |
| Best Practices | |
| |
| |
| |
| Securing Internet and E-mail Access | |
| |
| |
| |
| Securing Internet Explorer | |
| |
| |
| Should You Use Another Browser? | |
| |
| |
| New IE 7.0 Security Features | |
| |
| |
| Protected Mode | |
| |
| |
| New Low Integrity Folders and Registry Keys | |
| |
| |
| IE Compatibility Shims | |
| |
| |
| Protected Mode's Impact on Malware and Hackers | |
| |
| |
| Anti-Phishing Filter | |
| |
| |
| Add-on Management | |
| |
| |
| Improved ActiveX Control Handling | |
| |
| |
| Improved Digital Certificate Handling and Encryption | |
| |
| |
| Improved URL Handling Protections | |
| |
| |
| CardSpace | |
| |
| |
| Internet Explorer Security Settings | |
| |
| |
| Security Zones | |
| |
| |
| Local Computer Zone | |
| |
| |
| Internet Site Zone | |
| |
| |
| Local Intranet Zone | |
| |
| |
| Trusted Sites Zone | |
| |
| |
| Restricted Sites Zone | |
| |
| |
| Zone Security Settings | |
| |
| |
| .NET Framework - Loose XAML | |
| |
| |
| .NET Framework - XAML Browser Applications | |
| |
| |
| .NET Framework - XPS Documents | |
| |
| |
| .NET Framework-Reliant Components - Run Components Not Signed with Authenticode | |
| |
| |
| .NET Framework-Reliant Components - Run Components Signed with Authenticode | |
| |
| |
| ActiveX Controls and Plug-Ins - Allow Previously Unused ActiveX Controls to Run Without Prompting | |
| |
| |
| ActiveX Controls and Plug-Ins - Allow Scriptlets | |
| |
| |
| ActiveX Controls and Plug-Ins - Automatic Prompting for ActiveX Controls | |
| |
| |
| ActiveX Controls and Plug-Ins - Binary and Script Behaviors | |
| |
| |
| ActiveX Controls and Plug-Ins - Display Video and Animation on a Web Page That Does Not Use External Media Player | |
| |
| |
| ActiveX Controls and Plug-Ins - Download Signed ActiveX Controls | |
| |
| |
| ActiveX Controls and Plug-Ins - Download Unsigned ActiveX Controls | |
| |
| |
| ActiveX Controls and Plug-Ins - Initialize and Script ActiveX Controls Not Marked as Safe for Scripting | |
| |
| |
| ActiveX Controls and Plug-Ins - Run ActiveX Controls and Plug-Ins | |
| |
| |
| ActiveX Controls and Plug-Ins - Script ActiveX Controls Marked Safe for Scripting | |
| |
| |
| Downloads - Automatic Prompting for File Downloads | |
| |
| |
| Downloads - File Download | |
| |
| |
| Downloads - Font Download | |
| |
| |
| Enable .Net Framework Setup | |
| |
| |
| Java VM-Java Permissions | |
| |
| |
| Miscellaneous - Access Data Sources Across Domains | |
| |
| |
| Miscellaneous - Allow META REFRESH | |
| |
| |
| Miscellaneous - Allow Scripting of Internet Explorer Web Browser Control | |
| |
| |
| Miscellaneous - Allow Script-Initiated Windows Without Size or Position Constraints | |
| |
| |
| Miscellaneous - Allow Web Pages to Use Restricted Protocols for Active Content | |
| |
| |
| Miscellaneous - Allow Websites to Open Windows Without Address or Status Bars | |
| |
| |
| Miscellaneous - Display Mixed Content | |
| |
| |
| Miscellaneous - Don't Prompt for Client Certificate Selection When No Certificates or Only One Certificate Exists | |
| |
| |
| Miscellaneous - Drag and Drop or Copy and Paste Files | |
| |
| |
| Miscellaneous - Include Local Directory Path When Uploading Files to a Server | |
| |
| |
| Miscellaneous - Installation of Desktop Items | |
| |
| |
| Miscellaneous - Launching Applications and Unsafe Files | |
| |
| |
| Miscellaneous - Launching Programs and Files in an Iframe | |
| |
| |
| Miscellaneous - Navigate Sub-Frames Across Different Domains | |
| |
| |
| Miscellaneous - Open Files Based on Content, Not File Extension | |
| |
| |
| Miscellaneous - Software Channel Permissions | |
| |
| |
| Miscellaneous - Submit Non-Encrypted Form Data | |
| |
| |
| Miscellaneous - Use Phishing Filter | |
| |
| |
| Miscellaneous - Use Pop-Up Blocker | |
| |
| |
| Miscellaneous - Userdata Persistence | |
| |
| |
| Miscellaneous - Web Sites in Less Privileged Web Content Zone Can Navigate into This Zone | |
| |
| |
| Scripting - Active Scripting | |
| |
| |
| Scripting - Allow Programmatic Clipboard Access | |
| |
| |
| Scripting - Allow Status Bar Updates Via Script | |
| |
| |
| Scripting - Allow Websites to Prompt for Information Using Scripted Window | |
| |
| |
| Scripting - Scripting of Java Applets | |
| |
| |
| User Authentication | |
| |
| |
| IE Advanced Settings | |
| |
| |
| Browsing - Disable Script Debugging (Internet Explorer or Other) | |
| |
| |
| Browsing - Display a Notification About Every Script Error | |
| |
| |
| Browsing - Enable Third-Party Extensions | |
| |
| |
| Browsing - Use Inline Autocomplete | |
| |
| |
| International - Send UTF-8 URLS | |
| |
| |
| Java (or Java-Sun) - Use JRE x.x for [left angle bracket]applet[right angle bracket] | |
| |
| |
| Security - Allow Active Content from CDs to Run on My Computer | |
| |
| |
| Security - Allow Active Content to Run in Files on My Computer | |
| |
| |
| Security - Allow Software to Run or Install Even If the Signature Is Invalid | |
| |
| |
| Security - Check for Publisher's Certificate Revocation | |
| |
| |
| Security - Check for Server Certificate Revocation | |
| |
| |
| Security - Check for Signatures on Downloaded Programs | |
| |
| |
| Security - Do Not Save Encrypted Pages to Disk | |
| |
| |
| Security - Empty Temporary Internet Files Folder When Browser Is Closed | |
| |
| |
| Enable Memory Protection to Help Mitigate Online Attacks | |
| |
| |
| Security - Enable Integrated Windows Authentication | |
| |
| |
| Security - Phishing Filter Settings | |
| |
| |
| Security - Use SSL 2.0, SSL 3.0, TLS 1.0 | |
| |
| |
| Security - Warn About Invalid Site Certificates | |
| |
| |
| Security - Warn If Changing Between Secure and Not Secure Mode | |
| |
| |
| Security - Warn If Forms Submittal Is Being Redirected | |
| |
| |
| Other Browser Recommendations | |
| |
| |
| Don't Browse Untrusted Web Sites | |
| |
| |
| Keep IE Patches Updated | |
| |
| |
| Will Internet Explorer 7 Be Hacked A Lot? | |
| |
| |
| Summary | |
| |
| |
| Best Practices | |
| |
| |
| |
| Introducing IIS 7 | |
| |
| |
| Web Server Threats | |
| |
| |
| Application Vulnerabilities | |
| |
| |
| OS Vulnerabilities | |
| |
| |
| Back-End Database Issues | |
| |
| |
| Protocol Vulnerabilities | |
| |
| |
| Buffer Overflows | |
| |
| |
| Directory Traversal Attacks | |
| |
| |
| Sniffing Attacks | |
| |
| |
| Denial of Service | |
| |
| |
| Password Guessing Attacks | |
| |
| |
| Introduction to IIS | |
| |
| |
| New IIS Features | |
| |
| |
| Installing IIS 7 | |
| |
| |
| IIS Components | |
| |
| |
| IIS Protocol Listeners | |
| |
| |
| HTTP.SYS | |
| |
| |
| Net.TCP | |
| |
| |
| Net.Pipe | |
| |
| |
| Net.P2P | |
| |
| |
| Net.MSMQ | |
| |
| |
| Worker Processes, Application Pools, and Identities | |
| |
| |
| Worker Processes | |
| |
| |
| Application Pools | |
| |
| |
| Application Pool Identities | |
| |
| |
| IUSR and IIS_USRS | |
| |
| |
| IIS Administration | |
| |
| |
| Feature Delegation | |
| |
| |
| IIS Authentication | |
| |
| |
| Anonymous Authentication | |
| |
| |
| ASP.NET Impersonation | |
| |
| |
| Basic Authentication | |
| |
| |
| Digest Authentication | |
| |
| |
| Forms Authentication | |
| |
| |
| Windows Authentication | |
| |
| |
| Client Side Mapping | |
| |
| |
| Web Server Access Control Permissions | |
| |
| |
| IIS Handler Permissions | |
| |
| |
| NTFS Permissions | |
| |
| |
| Defending IIS | |
| |
| |
| Step Summary | |
| |
| |
| Configuring Network/Perimeter Security | |
| |
| |
| Ensuring Physical Security | |
| |
| |
| Installing Updated Hardware Drivers | |
| |
| |
| Installing an Operating System | |
| |
| |
| Configuring a Host Firewall | |
| |
| |
| Configuring Remote Administration | |
| |
| |
| Installing IIS in a Minimal Configuration | |
| |
| |
| Installing Patches | |
| |
| |
| Hardening the Operating System | |
| |
| |
| Configuring and Tightening IIS | |
| |
| |
| Installing Additional IIS Features | |
| |
| |
| IIS 7 Modules | |
| |
| |
| Minimizing Web Components Even Further | |
| |
| |
| Feature Delegation | |
| |
| |
| Strengthening NTFS Permissions | |
| |
| |
| Configuring Request Filtering | |
| |
| |
| Securing Web Sites | |
| |
| |
| Hardening NTFS Permissions | |
| |
| |
| Web Site IP Settings | |
| |
| |
| Application Pool Changes | |
| |
| |
| Cleaning and Testing | |
| |
| |
| Installing and Securing Applications | |
| |
| |
| Conducting Penetration Tests | |
| |
| |
| Deploying to Production | |
| |
| |
| Monitoring Log Files | |
| |
| |
| Summary | |
| |
| |
| |
| Protecting E-mail | |
| |
| |
| E-mail Threats | |
| |
| |
| Malicious File Attachments | |
| |
| |
| File Extension Tricks | |
| |
| |
| Embedded Content | |
| |
| |
| Embedded Links | |
| |
| |
| Leaked Passwords | |
| |
| |
| Other Miscellaneous E-mail Threats | |
| |
| |
| Introducing Windows Mail | |
| |
| |
| Phishing Detection | |
| |
| |
| Improved Junk Mail Detection | |
| |
| |
| Sender White Lists and Black Lists | |
| |
| |
| Top-Level Domain Blocking | |
| |
| |
| Simplified E-mail Storage | |
| |
| |
| E-mail Defenses | |
| |
| |
| Convert All E-mail to Plain-text | |
| |
| |
| Execute All HTML Content in the Restricted Zone | |
| |
| |
| Disable Automatic Downloading of HTML Content | |
| |
| |
| Filter Out Dangerous File Attachments | |
| |
| |
| Install Anti-Malware Software | |
| |
| |
| Disable Plain-Text Passwords | |
| |
| |
| Summary | |
| |
| |
| Best Practices | |
| |
| |
| |
| Securing Windows Networks | |
| |
| |
| |
| Managing Windows Firewall | |
| |
| |
| New Features | |
| |
| |
| Windows Filtering Platform | |
| |
| |
| IPv6 | |
| |
| |
| Integration with IPsec | |
| |
| |
| Stealth | |
| |
| |
| Boot Time Filtering | |
| |
| |
| Strict Source Mapping | |
| |
| |
| Service Hardening and the Firewall | |
| |
| |
| IPv6 | |
| |
| |
| Outbound Filtering | |
| |
| |
| How Much Security Can Outbound Filtering Provide? | |
| |
| |
| Firewall Management | |
| |
| |
| Firewall Profiles | |
| |
| |
| Management Interfaces | |
| |
| |
| Windows Firewall Control Panel | |
| |
| |
| Security Center | |
| |
| |
| Windows Firewall with Advanced Security | |
| |
| |
| Group Policy Editor | |
| |
| |
| Netsh | |
| |
| |
| Application Programming Interfaces | |
| |
| |
| Rule Types | |
| |
| |
| Directional Rules | |
| |
| |
| Connection Security Rules | |
| |
| |
| When to Use Which Rules | |
| |
| |
| Rule Precedence | |
| |
| |
| Firewall Scenarios | |
| |
| |
| Restricting Access Based on End-Point | |
| |
| |
| Blocking Outbound SMB in Public Profile | |
| |
| |
| Allowing Management Traffic via VPN | |
| |
| |
| Managing Firewall in a Mixed or Down-Level Environment | |
| |
| |
| RPC | |
| |
| |
| Summary | |
| |
| |
| Best Practices | |
| |
| |
| |
| Server and Domain Isolation | |
| |
| |
| Server and Domain Isolation Overview | |
| |
| |
| Domain Isolation | |
| |
| |
| Server Isolation | |
| |
| |
| Forget About the Perimeter | |
| |
| |
| Network Threat Modeling | |
| |
| |
| Changes in Windows Vista Affecting SDI | |
| |
| |
| AuthIP | |
| |
| |
| Client-to-DC IPsec | |
| |
| |
| Authentication with Multiple Credentials | |
| |
| |
| Improved Negotiation Flow | |
| |
| |
| Vastly Improved Configuration User Interface | |
| |
| |
| Domain Isolation Rules | |
| |
| |
| Server Isolation Rules | |
| |
| |
| Summary | |
| |
| |
| Best Practices | |
| |
| |
| |
| Wireless Security | |
| |
| |
| Wi-Fi Terminology and Technologies | |
| |
| |
| Wi-Fi Standards | |
| |
| |
| Infrastructure versus Ad-Hoc Mode | |
| |
| |
| Wi-Fi Standards | |
| |
| |
| Wi-Fi Security Standards | |
| |
| |
| Wired Equivalent Privacy | |
| |
| |
| Wi-Fi Protected Access/802.11i | |
| |
| |
| Wireless Threats | |
| |
| |
| Eavesdropping | |
| |
| |
| Unauthorized Access | |
| |
| |
| Bypassing of Traditional Defenses | |
| |
| |
| Malware Injection | |
| |
| |
| Denial of Service Attacks | |
| |
| |
| New Wireless Improvements in Vista | |
| |
| |
| Securing Wireless Networks | |
| |
| |
| 802.11 Legacy Wireless Security Recommendations | |
| |
| |
| Changing Access Point's Default SSID | |
| |
| |
| Enabling MAC Filtering | |
| |
| |
| Disabling DHCP on the Access Point | |
| |
| |
| Requiring User Authentication Passwords | |
| |
| |
| Turning Off SSID Broadcasting | |
| |
| |
| Changing an Access Point's Default Administrator Password | |
| |
| |
| WEP | |
| |
| |
| VPN Protocols | |
| |
| |
| Using WPA | |
| |
| |
| Using WPA2/802.11i | |
| |
| |
| Summary | |
| |
| |
| Best Practices | |
| |
| |
| |
| Group Policy and Best Practices | |
| |
| |
| |
| Using Group Policy | |
| |
| |
| New Group Policy Features | |
| |
| |
| Multiple Local Group Policies | |
| |
| |
| Group Policy Precedence | |
| |
| |
| Using MLGPOs in a Domain Environment | |
| |
| |
| Difference between Local GPOs and Domain GPOs | |
| |
| |
| New Administrative Template Format | |
| |
| |
| Template Embedding | |
| |
| |
| Migrating to ADMX | |
| |
| |
| Client-Side Pulling and Network Location Awareness | |
| |
| |
| Updated Group Policy Features | |
| |
| |
| Group Policy Management Console v. 2.0 | |
| |
| |
| Internet Explorer Management Without IEAK | |
| |
| |
| Group Policy Application Factored from Winlogon | |
| |
| |
| Group Policy Logging Moved to System Event Log | |
| |
| |
| New or Updated Group Policy Settings | |
| |
| |
| New Security Options | |
| |
| |
| Security Options with Modified Defaults | |
| |
| |
| Removed Security Options | |
| |
| |
| New Administrative Template Settings | |
| |
| |
| Settings That Require Reboot or Logon | |
| |
| |
| Windows Vista Security Guide | |
| |
| |
| Do You Need the Vista Security Guide? | |
| |
| |
| What Is Good in the Vista Security Guide | |
| |
| |
| What Could Have Been Better in the Vista Security Guide | |
| |
| |
| Importance of the Guide | |
| |
| |
| Active Directory Schema Updates | |
| |
| |
| Managing Group Policy in a Mixed Environment | |
| |
| |
| Rollout Strategy | |
| |
| |
| Logon Scripts Fail Because of UAC | |
| |
| |
| Using Group Policy in a NAP Environment | |
| |
| |
| Summary | |
| |
| |
| Best Practices | |
| |
| |
| |
| Thinking about Security | |
| |
| |
| It Still Comes Down to Risk Management | |
| |
| |
| Jesper's Position | |
| |
| |
| Roger's Position | |
| |
| |
| Enterprise Risk Management | |
| |
| |
| The Three-Step Approach to Security | |
| |
| |
| Keep 'em Off the Box | |
| |
| |
| Keep 'em from Running | |
| |
| |
| Keep 'em from Communicating | |
| |
| |
| Thinking Differently about Security | |
| |
| |
| The Top 2 (+ or -1, or so) Client Security Hacks | |
| |
| |
| Jesper's Thoughts | |
| |
| |
| Roger's Thoughts | |
| |
| |
| Anti-Malware Is Not a Panacea | |
| |
| |
| Jesper's Thoughts | |
| |
| |
| Roger's Thoughts | |
| |
| |
| Tweaking It | |
| |
| |
| Security Tweaks You Should Make | |
| |
| |
| Turn on DEP for Internet Explorer | |
| |
| |
| Security Tweaks You Shouldn't Make | |
| |
| |
| Agreeing to Disagree | |
| |
| |
| Jesper's Position | |
| |
| |
| Roger's Position | |
| |
| |
| Wetware | |
| |
| |
| Summary | |
| |
| |
| Best Practices | |
| |
| |
| |
| Building a Windows PE Boot Disk | |
| |
| |
| Building a WinPE Bootable USB Flash Drive | |
| |
| |
| Downloading WAIK | |
| |
| |
| Building the WinPE Image | |
| |
| |
| |
| References | |
| |
| |
| Index | |