Hack-Proofing Your Clients Using Windows 7 Security

"Clients are the number one targets today when hackers, viruses, and trojans try to make their way into corporate networks and steal important data. In this session we look at various security features in Windows 7 and the threats they mitigate. Expect a live session packed with demonstrations and notes from the field.
/ Marcus.Murray@TrueSec.Com


Session Goal! 1. Give you some ideas that you can bring home and implement in your environment 2. Awareness of security threats!

Teched Win7 Sec Page 1

den 10 november 2009 15:51

Live Session No PPTS!

A PDF with ALL notes will be publiched on the TechED website!

Teched Win7 Sec Page 2

Why Securing a Windows 7 Box?
den 8 november 2009 11:09

Whats in a box? Stored credentials Keystrokes Data [Local/remote accessible] The user actions! [Monitor/spy] Access to Servers! [Stepstone]

Well, it´s just a client, we protect our servers!!

Why Hackers prefer to attack klients! Easier to get to!
Less security!

Less Logging!

Teched Win7 Sec Page 3

My last 12 Months den 10 november 2009 15:42 Teched Win7 Sec Page 4 .

A 1: External attack .Let´s play a little game!! den 8 november 2009 11:09 Attacker relay L:Cli-006/Enduser SRV-001 [DC] CL-001 [Win7] CL-004 [XP] Teched Win7 Sec Page 5 .

Sample Security features that would have helped! L:Cli-006/Enduser Direct Access Security aware & trained users!?     SRV-001 [DC] SRV-003 [FILE] Applocker UAC Adv. Firewall Hardening [Signed Macros] To every Attack there are countermeasures! The question is if we have implemented them!!! Teched Win7 Sec Page 6 .

microsoft.networkcomputing. Only Allow Signed Macros is generally a good idea: Download Office 2007 Administrative templates: http://www.com/en-us/library/cc748955(WS.microsoft.aspx> Teched Win7 Sec Page 7 .com/en-us/library/dd723678(WS.10).aspx?FamilyID=92d8519a-e143-4aee-8f7ae4bbaeba13e7&displaylang=en Install Admx template in Admx Central Store: http://technet. it's not your computer anymore Pasted from <http://technet.com/en-us/library/cc722487.microsoft.aspx> Application Identity Service = automatic AppLocker http://technet.com/downloads/details.10).EXE http://www.aspx?FamilyId=13580CD7-A8BC-40EF-8281DD2C325A5A81&displaylang=en SELFC ERT.com/downloads/details.microsoft.Controlling code execution: Applocker den 8 november 2009 13:30 Law #1: If a bad guy can persuade you to run his program on your computer.aspx Migrate /sign scripts (Bulk): http://www.in/Macros-Myth-and-Reality-ProductivIT-001Oct009..microsoft. powershell script etc.aspx Also require Signed macros.

Application control Policies process IRL den 8 november 2009 15:18 Software Distributor Applocker Flow Central handling of executables Generate policy on Model Computer TEST! Import into GPO Central Deployment Applocker Policy targets Model Computer Teched Win7 Sec Page 8 .

Applocker Demo! den 8 november 2009 12:40 Teched Win7 Sec Page 9 .

User Account Control den 8 november 2009 22:37 The user experience running as regular user has improved!! My recommendation: When possible: LOG OUT/IN instead of elevation [Prevents keylogging &elevation piggybacking] Teched Win7 Sec Page 10 .

Advanced firewall configuration on Client den 9 november 2009 07:13 Management computers/users Firewall Rules: Default  Deny Inbound  Allow outbound Remote Administration  Allow if Secure  Certain group Target Computer Teched Win7 Sec Page 11 .

Rules den 9 november 2009 10:10 New Windows 7 feature: Different profiles active simultaneously! -Public on the Wireless NIC -Domain on the Physical NIC Teched Win7 Sec Page 12 .

Advanced Firewall Concept and Demo! Management computers/users Office Published Services RODC WEB TS Back-End Services DC SQL APP 1 Teched Win7 Sec Page 13 .

Why do we need internal network protection? DEMO! Teched Win7 Sec Page 14 .

A 2: Network-based Attack [Internal] (1) Hi. I m Bjorn. I want access! (2) A challenge for you! (3) Here is my responce  Present Teched Win7 Sec Page 15 .

Sample security features that would have helped! den 9 november 2009 10:43  IPSEC [Kerberos/Certificates]  Restrict NTLM  Regular user [Limit effect]  Adv. Firewall Teched Win7 Sec Page 16 .

Restrict NTLM den 9 november 2009 11:01 Great for analysis before deployment of rules! Teched Win7 Sec Page 17 .

Force the use of smartcard to access resources!! den 9 november 2009 11:07 Teched Win7 Sec Page 18 .

Authentication Mechanism Assurance! den 8 november 2009 16:45 SmartCard Logon=Extra group membership!! Password Login= TS Employees SmartCard Login= TS Employees + TSHigh Securiity Access ADSIEDIT/Configuration/Services/Public Key Services/OID (1099/400) Teched Win7 Sec Page 19 .

microsoft.com/en-us/library/dd378897(WS.ps1 -IssuancePolicyName "High Security Access" groupOU "OU_FOR_IPol_linked_groups" -groupName "TS High Security Access" Verify link get-IssuancePolicy.ps1 -LinkedToGroup:all Allow the group Access to resources Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step -by-Step Guide http://technet. Issue Template New Certificate Template to Issue Create Universal group Link issuance policy to group set-IssuancePolicyToGroupLink.10).Step-by-Step den 8 november 2009 21:46 Prereq: Windows Server 2008 R2 DC Create SmartCard Template with issuance policy Duplicate Smartcard Logon/User Template/Properties/Extensions/Issuance Policies Seurity Settings/Enroll etc.aspx Teched Win7 Sec Page 20 .

and so is Widows 7 Security den 9 november 2009 11:00 Teched Win7 Sec Page 21 .The world is getting Mobile.

If you are on the run :) den 9 november 2009 10:24 Attacker relay DA Server ze SRV-001 [DC] CL-001 [Win7] CL-004 [XP] Teched Win7 Sec Page 22 .Direct Access .

Wizard-based configuration! den 9 november 2009 11:39 Teched Win7 Sec Page 23 .

aspx Step By Step Guide: Demonstrate DirectAccess in a Test Lab http://www.com/downloads/details.aspx?displaylang=en&FamilyID=8d47ed5fd217-4d84-b698-f39360d82fac DirectAccess Microsoft Technet http://technet.microsoft.microsoft.com/en-us/library/ee382297(WS.com/en-us/network/dd420463.Try it at home! den 9 november 2009 10:32 DirectAccess Design Guide http://technet.microsoft.aspx Teched Win7 Sec Page 24 .10).

com/en-us/library/cc732725(WS.microsoft./Admin.Bitlocker & Bitlocker2Go den 9 november 2009 08:23 Big values: Protects OS drives/Fixed Drives/Removable drives Highly configurable through GPO Computer Conf./Windows Settings/ Security Settings/Public Key Policies/Bitlocker Get protectors for a drive: CMD/manage-bde -protectors -get <drive letter> Recover drive CMD/manage-bde -unlock e: -cert -ct "23 dd d7 5b b1 9c f9 6e c2 36 aa bb 01 84 3e 7b da 17 3b 01" BitLocker Drive Encryption Step-by-Step Guide for Windows 7 http://technet.10).aspx Using Data Recovery Agents with BitLocker http://technet.10).10).aspx Teched Win7 Sec Page 25 . templates/Windows Coponents/Bitlocker Drive Encryption Data Recovery Agent for Bitlocker recovery [PKI] GPO/ Computer Conf.microsoft.microsoft.com/en-us/library/dd875560(WS.com/en-us/library/dd835565(WS.aspx BitLocker Drive Encryption Step-by-Step Guide Windows Server 2008 http://technet. Teched Win7 Sec Page 26 . Duplicate Bitlocker DRA OID=1.311.1.311.Using Smartcards with Bitlocker den 10 november 2009 14:34 Certificate Templates: Bitlocker enabled SmartCard Duplicate Smart Card/Smart Card Logon Template The BitLocker OID 1.

10).com/en-us/library/dd835565(WS.aspx Teched Win7 Sec Page 27 .1.311.6.1.1.microsoft.1 ] Issue Smart Card Certificate Template Deploy Smart Card Certificates to users Set Correct GPO Settings for Bitlocker Apply GPO to targets Encrypt Drives BitLocker Drive Encryption Step-by-Step Guide for Windows 7 http://technet.3.4.67.Bitlocker Certificates den 10 november 2009 14:07 Preparation steps Bitlocker cedrtificates Create Smart Card Certificate template [ Bitlocker DRA OID=1.

10).aspx Teched Win7 Sec Page 28 .1.6.311.4.Bitlocker Recovery den 10 november 2009 14:07 Preparation steps Bitlocker recovery Create DRA Certificate template [ Bitlocker DRA OID=1.2 ] Issue DRA Certificate Template Request DRA Certificate Export Certificate [Do not export private key] Map certificate inte GPO Set Correct GPO Settings for Bitlocker Apply GPO to targets Encrypt Drives Using Data Recovery Agents with BitLocker http://technet.1.67.1.com/en-us/library/dd875560(WS.3.microsoft.

Limits system exposure . Limit network exposure . 11. 9. If you haven't already.. Protect your authentication traffic .Restrict NTLM/IPSEC 7. upgrade to Windows 7 .Steps to Hack-proofing your Clients using Windows 7 Security den 8 november 2009 21:32 1./SCCM etc.Run as Standard User 3.Direct Access 8.Use Microsoft Security Guides / SCW for servers etc. Keep the OS. Use WSUS. Harden the OS and Applications . Authenticate/Encrypt allowed inbound connections . Prevent execution of unwanted code .Use Advanced Firewall 5.Use Advanced Firewall [+IPSEC] 6. Protect from physical exposure .Use Bitlocker And the good old traditional stuff that is still VERY important. Manage the computer while on the road .) 2.Follow Patch Management Policy.Use Network Access Protection! (And use the Health Certificates for IPSEC) Teched Win7 Sec Page 29 .Implement Applocker 4. 10. Monitor Health/restrict "unhealthy access" .. applications and drivers up to date! .

Thank You for Listening! den 9 november 2009 11:36 I hope you enjoyed the format! Marcus.com Teched Win7 Sec Page 30 .Murray@Truesec.

Sign up to vote on this title
UsefulNot useful