298 Chapter 5  Configuring Windows Vista Security Now in Exercise 5.2, you will set up a Custom security level in Internet Explorer. Allow Webpages to Use Restricted Protocols for Active Content Disable Drag and Drop or Copy and Paste Files Prompt Include Local Directory Path When Uploading Files to a Server Disable Installation of Desktop Items Disable Launching Applications and Unsafe Files Disable Launching Programs and Files in an IFRAME Disable Open Files Based on Content, Not File Extension Disable Software Channel Permissions High Safety Submit Non-encrypted Form Data Prompt Userdata Persistence Disable Websites in Less Privileged Web Content Zone Can Navigate into This Zone Disable Active Scripting Disable Allow Programmatic Clipboard Access Disable Scripting of Java Applets Disable Logon Prompt for User Name and Password EXERCISE 5.2 Customizing Internet Explorer’s Security Zones 1. Open Internet Explorer from your Windows Vista computer (Start  Internet Explorer). 2. Select Tools  Internet Options. TABLE 5.6 High Settings That Are More Restrictive Than the Medium-High Security Level (continued) Setting Option 65348c05.fm Page 298 Monday, October 22, 2007 9:45 PM Configuring Internet Explorer 7+ 299 3. Click the Security tab, as shown here. 4. In the Select a Zone to View or Change Security Settings box, click Internet and then click the Custom Level button. 5. From here, find the section called ActiveX Controls and Plug-ins. Find Allow Scriptlets and click Prompt. Now find Download Unsigned ActiveX Controls and click Prompt. Finally, find Initialize and Script ActiveX Controls Not Marked as Safe for Scripting and click Prompt. Then click OK. These settings can be useful if you need to run a custom script that is not yet signed and exists outside of your intranet zone. For example, if you have a development team working on some ActiveX controls, they may have a need to run ActiveX controls that normally would be deemed suspicious. These customizations allow them to use these controls. Even better, you could isolate these settings to the Trusted Sites zone and add the known web- site to that zone. This would give you the flexibility to work with unsigned ActiveX content but isolate which websites get the new set of rules. If the websites are internal to the com- pany and inside the Intranet zone, you could make these changes to the Intranet zone. When modifying zone settings to reduce security, you should try to use the proper zone to isolate relaxed security rules to a narrow field of potential websites and limit your exposure to threats. 6. Click Reset All Zones to Default Level. This will reset all of the changes you just made and take the zone settings back to the defaults. EXERCISE 5.2 (continued) 65348c05.fm Page 299 Monday, October 22, 2007 9:45 PM 300 Chapter 5  Configuring Windows Vista Security Configuring User Account Control Windows Vista introduces a new security feature, known as User Account Control (UAC). UAC provides a new layer of security for gaining administrator privileges on a Windows Vista machine. On the surface UAC is simple. All users run as standard users with reduced privileges and any time an action requires administrator rights, UAC comes into play. Depending on the settings and the user type, UAC will have different effects. If the user is an administrator, they may just be prompted to approve the elevation of privileges, while standard users are prompted for administrator credentials. We talked briefly about UAC in Chapter 2, including the rights that standard and administrative users have in Windows Vista. In this section we will look at the options you have for configuring UAC. UAC is configured via Group Policy, either from a domain or from local Group Policy. To view the UAC settings for a Windows Vista box, you must first launch the Local Security Policy application by selecting Start  All Programs  Administrative Tools  Local Security Policy. Once open, expand Local Policies and select Security Options. At the bottom of the list of pol- icies you should now see nine UAC policies, all prefaced with User Account Control, as shown in Figure 5.36. The UAC settings are broken into two categories: seven of them are UAC settings that can be enabled or disabled, and the other two represent the configuration options for UAC prompts. FIGURE 5.36 The Local Security Policy showing the policies for UAC 65348c05.fm Page 300 Monday, October 22, 2007 9:45 PM Configuring User Account Control 301 Understanding UAC Settings The settings are the most important policies that you will deal with as they turn features of UAC on or off. These settings control how UAC works and what features will affect different users. The UAC settings and a description of each follow: User Account Control: Admin Approval Mode for the Built-in Administrator Account This setting allows you to control whether the built-in administrator account will run in Admin Approval mode. The default setting for this policy depends on how Windows Vista was installed and the state of the local administrator account during install. For new installations, this policy is disabled because the local administrator account is disabled as well. For upgrades, Windows Vista will disable this policy and the local administrator account if there are other accounts with administrator rights on the machine. If the local administrator account is the only administrator account, then this policy will be enabled, requiring the local administrator account to run in Admin Approval mode. User Account Control: Detect Application Installations and Prompt for Elevation When this policy is enabled, which it is by default, Windows Vista will detect an application install and prompt for consent or credentials. When this policy is disabled, it will cause applications installations to fail without error or with a nondeterministic error. User Account Control: Only Elevate Executables That Are Signed and Validated This pol- icy controls how applications are allowed to elevate their permissions. Just like users, appli- cation can perform functions that require administrative rights. When this policy is enabled, applications will need to have PKI signatures in order to elevate. By default this policy is dis- abled and both signed and unsigned applications will be allowed to elevate. User Account Control: Only Elevate UIAccess Applications That Are Installed in Secure Locations When this option is enabled, Windows Vista will only give UIAccess privileges and user rights to applications launched from Program Files or from the Windows directory. Any UIAccess application launched from different directories will run without additional privileges. Enabled is the default setting. When the option is disabled, the location check is not done and UIAccess applications can run from any directory. User Account Control: Run All Administrators in Admin Approval Mode This setting is essentially the toggle switch for all of UAC. When it’s enabled, both standard users and admin- istrators will be prompted when they attempt to perform an administrative action. When this policy is disabled, UAC will not prompt when administrative tasks are performed. By default, this setting, and hence UAC, are enabled. User Account Control: Switch to the Secure Desktop When Prompting for Elevation This policy controls whether UAC prompts are displayed in the secure desktop. Sounds pretty cool, huh? This is just the setting that tells UAC to disable all other application activity and take over the entire interface (which is the default). If you disable this setting, the UAC prompts will be just like any other dialog box, and that means malicious code can “click” OK to approve administrative action. 65348c05.fm Page 301 Monday, October 22, 2007 9:45 PM 302 Chapter 5  Configuring Windows Vista Security User Account Control: Virtualize File and Registry Write Failures to Per-User Locations This option is simple; it controls how Windows Vista will interact with older, non-UAC aware applications. When the option is enabled, which is the default, attempts by an application to write to the Program Files, Windows, or System32 directories or the HKLM\Software registry key will be redirected to safe areas of the disk. This allows the older application to think it’s working while preventing access to these critical sections of the system. When disabled, this policy will cause the application to receive an error when such a write attempt is made. Configuring UAC Prompts The final two policies control the behavior of prompts for administrators in Admin Approval mode and for standard users. The configuration of your environment and the level of security you want to enforce dictate how you set these policies. User Account Control: Behavior of the Elevation Prompt for Administrators in Admin Approval Mode You have three options when configuring Admin Approval mode:  Prompt for Consent: The default option, administrators will be prompted for approval when performing administrative tasks.  Elevate Without Prompting: This option essentially disables Admin Approval mode as elevation will occur silently without a prompt.  Prompt for Credentials: This option will force administrators to enter their credentials in order to perform the actions. This is the most secure option as a machine that is left unattended could not cause much damage since the administrator must log in again to perform the action. User Account Control: Behavior of the Elevation Prompt for Standard Users This policy controls the prompt for standard users. The options are simple:  Prompt for Credentials: The default option prompts the user for credentials. This allows for over-the-shoulder credentials to be used in your environment.  Automatically Deny Elevate Requests: Users are denied access when attempting to per- form and elevate action. Troubleshooting User Account Control Now we want to look at some common issues you may run into when running UAC on your Windows Vista machines. Mostly, UAC settings are either on or off, and there isn’t a lot to it, so most of your time troubleshooting UAC will be spent troubleshooting your users’ experi- ence with UAC. Having a good understanding of each of the settings is the first step to fixing UAC problems for your users. The next step is to understand how the settings can change the experience the user is currently getting. 65348c05.fm Page 302 Monday, October 22, 2007 9:45 PM Troubleshooting User Account Control 303 Troubleshooting Application Issues When an application needs to run in a UAC environment, several components of UAC can affect how those applications behave. In this section we will look at two things that can make or break an application in a UAC environment: the Application Information service and File and Registry Virtualization. Application Information Service A critical component of UAC is the Application Information service. This service facilitates application elevation when the application needs to run with administrative privileges. If this service is running and a properly designed application needs to be elevated within the con- structs of UAC, the user will receive a UAC prompt and the elevation will be allowed, assum- ing the user allows the elevation. The elevated credentials apply only to the application; once the application is closed, the elevated session goes away. When the Application Information service is not running, the application will attempt to run with the current user’s credentials and will not generate a UAC prompt. Depending on the user’s credentials, the application could fail silently or with nondeterministic errors. Any time you have apps failing to run that require elevated rights or that run fine on another machine, check to ensure that the Applica- tion Information service is running. UAC Virtualization Issues Older applications running on Windows Vista are likely not to be UAC aware. Many appli- cations required administrative permissions to run as they wrote to system directories, such as Program Files or Windows, or to the Windows registry. Many areas of Windows Vista have been locked down to prevent system problems that can be caused by poorly written applica- tions. This lockdown will prevent applications from writing to these protected folders and the registry. Now we will explore what you need to do when older applications aren’t playing nice in Windows Vista. One of the policy settings for UAC is Virtualize File and Registry Write Failures to Per-User Locations. If you find that an application is failing with an error, displaying a cryptic error mes- sage, or specifically giving an error about not being able to access a file or the registry, you may want to check this policy setting. When Virtualization is enabled, if an application attempts to write to a protected location, the file or registry key they are trying to write is copied to the cur- rent user profile location and the user can then modify it. Further calls to the same file or reg- istry key are redirected to the user profile copy. This prevents the application from writing to a protected area but the application is tricked into thinking the operation succeeded. If this pol- icy setting is turned off, Virtualization will not work and your applications could fail. Troubleshooting UAC Policy Settings Users may experience prompts they are not expecting when working with UAC. Administrators commonly complain that don’t like the requirement of confirming administrative tasks. If you decide to turn off elevate prompts for your administrators, you need to know the ramifications 65348c05.fm Page 303 Monday, October 22, 2007 9:45 PM 304 Chapter 5  Configuring Windows Vista Security of changing the UAC policies. There are several policies that you may be tempted to change when attempting to remove prompts for your administrators. Let’s look at how each of these set- tings affect the administrator’s prompts and which one is the most appropriate to use: User Account Control: Admin Approval Mode for the Built-in Administrator Account This setting controls the Admin Approval mode for the built-in administrator account. This is the account, named Administrator, which exists on all Windows Vista machines. In many cases this account will be disabled regardless of this policy’s setting. The best practice is to avoid using this account unless there is a specific problem you are attempting to correct, so your administrators shouldn’t be using it as a matter of course. Changing this policy will have no effect on the prompts that your administrative users see when logged in with their accounts. User Account Control: Run Administrators in Admin Approval Mode This setting controls how administrative accounts run. When enabled, administrators will be in Admin Approval mode and, by default, will receive prompts to confirm administrative actions. On the surface, it would look as though this is the policy we should disable to prevent administrators from getting UAC prompts. In reality, disabling this policy will effectively shut down UAC for all users, admin- istrators, and standard users, and cause users to receive a warning that the overall security of the operating system has been reduced. So, again, this is the wrong policy to accomplish our goal. User Account Control: Behavior of the Elevation Prompt for Administrators in Admin Approval Mode Finally, is the policy that affects the behavior of the elevation prompt for users in Admin Approval mode? By default, the policy is set to Prompt for Consent, which will require that administrators confirm administrative actions. Alternatively you can set this pol- icy to Elevate Without Prompting. With this policy changed to Elevate Without Prompting, administrators will not receive a prompt when performing administrative actions, but UAC will remain on for standard users. This option is the only one we want to change to cause administrators to stop getting prompts for elevates. Most of the problems you encounter with UAC will be related to the settings of the UAC policies. Be sure to check the settings to ensure that everything is configured in accordance with your environment. The best weapon you have is to understand what each policy does and to know the ramifications of changing their settings. Configuring Windows Updates Operating systems and applications will require security patches and updates over time. These are often required because hackers found a weakness in a piece of code that would allow them to exploit your system or a bug has been identified in an application and the vendor wants to update before it causes any problems. Windows Vista comes with the new and improved Win- dows Update applet. In previous versions of Windows, users would go to the Windows Update website to obtain security patches and updates. Behind the scenes the process is much the same, but in Windows Vista the Windows Update applet takes the guesswork out of the process. To configure Windows Update, you first must open the application. The easiest way to do so is by selecting Start  All Programs  Windows Update. This will launch the main screen, shown in Figure 5.37. 65348c05.fm Page 304 Monday, October 22, 2007 9:45 PM Troubleshooting User Account Control 305 FIGURE 5.37 The main screen of Windows Update This screen gives you a status of the updates required by your system. The top section tells you how many important and optional updates you need to install on this system. The bottom section provides information about Windows Ultimate Extras. These extras are only available if you are running Windows Vista Ultimate, and they provide things like new games or new desktop themes. These updates are in no way required. Before you see this status, you may see a message that says “Checking for updates” when you first load the applet; this indicates that Windows Vista is communicating with Microsoft to find updates. The four lines at the bottom of the screen let you quickly see how Windows Update is con- figured. These tell you several important things that you can use for informational purposes or during troubleshooting: Most Recent Check for Updates This was the last time that Windows Update connected to check for new updates. Updates Were Installed This is the date and time that the last update was installed. You can click the link View Update History to see a list of updates that have been applied to this system. You Have Windows Set To This will give you the details on your automatic settings. We will look at these shortly. You Receive Updates This final line tells you what products are updates, for Windows and other products, and where Windows Update looks to find its updates. 65348c05.fm Page 305 Monday, October 22, 2007 9:45 PM 306 Chapter 5  Configuring Windows Vista Security Along the left side of the screen, you have access to the settings and features of Windows Update. Let’s take a look at each of these options: Check for Updates This will force Windows Update to connect to the server and look for newly available updates. Change Settings The Change Settings screen is broken down into three sections, as shown in Figure 5.38. The first section allows you to control how updates will be downloaded and applied. You must choose one of four options:  Install Updates Automatically: This option allows Windows Vista to download and install updates automatically without asking for permission. If you choose this option, you must also pick a day and time for the download and install to occur.  Download Updates but Let Me Choose Whether to Install Them: Updates will be downloaded automatically, but you need to tell Windows Vista to go through with the installation every time updates have been downloaded. FIGURE 5.38 The settings screen for Windows Update 65348c05.fm Page 306 Monday, October 22, 2007 9:45 PM Troubleshooting User Account Control 307  Check for Updates but Let Me Choose Whether to Download and Install Them: Win- dows Update will notify you when new updates are available, but you have to initiate the download and installation.  Never Check for Updates: Windows Update will not check for updates at all. You will need to manually run Windows Update and select Check for Updates in order to down- load and install updates. The second section lets you specify whether to include recommended updates. Selecting this option will cause Windows Update to notify, download, and install recommended updates in addition to critical updates. Clearing this option will cause you to receive only critical updates automatically. The final option allows you to select whether to use Microsoft Update. Microsoft Update is the subcomponent of Windows Update that allows updates for products besides Win- dows Vista to be downloaded and installed. View Update History This will show you all the updates that have been installed on the sys- tem via Windows Update. This screen also provides you with a link to the Install Updates sec- tion of the Programs and Features applet, where you can uninstall updates. Restore Hidden Updates When you are presented with updates that you decide not to install, such as optional language packs, you can opt to hide these updates. When updates are hidden, you will not see anything about them in Windows Update. This option provides you with a list of all the hidden updates; you can then unhide any that you want to install. Updates: Frequently Asked Questions This provides a link to a help file of FAQs about Win- dows Update. Learn About Windows Ultimate Extras This link, only visible when you’re running Windows Vista Ultimate Edition, takes you to a screen that provides more details on Ultimate Extras. Manually Applying Security Patches and Updates If there are optional updates that you want to install, you may find yourself in a situation where you have to manually apply an update. To manually apply an update, first launch Win- dows Update. If there are updates to install, you will see that on the main screen, as shown in Figure 5.39. Click View Available Updates, and you will be presented with a list of the updates available for installation. Figure 5.40 shows the list of updates currently available for installation on the system. This list provides a few pieces of information to help you determine whether you want to install the update. Right-clicking an update offers three options: View Details This will open a small dialog box providing more information on what the update is as well as links to more information on the Internet. 65348c05.fm Page 307 Monday, October 22, 2007 9:45 PM [...]... of Windows This is the closest thing Windows Vista has to offer to the old Network Properties dialog box Diagnose and Repair This option will have Windows Vista perform some simple diagnosis and attempt to repair a networking problem We will look at this feature in detail in the next chapter 65348.book Page 3 27 Monday, October 22, 20 07 4: 27 PM Exploring the Network and Sharing Center FIGURE 6.2 3 27. .. 65348.book Page 323 Monday, October 22, 20 07 4: 27 PM Chapter 6 Configuring Networking MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Configure Windows Vista Security Configure firewalls Configure, Troubleshoot, and Repair Networking Configure and troubleshoot network protocols Configure and troubleshoot network services at the client Configure and troubleshoot Windows Vista by using the Network and Sharing... requirements in order to enable BitLocker on a Windows Vista system 65348c05.fm Page 3 17 Monday, October 22, 20 07 9:45 PM Review Questions 3 17 Review Questions 1 How can you check the certificate details of a secure website? A Click the lock icon next to the URL in Internet Explorer 7 B Click the Internet globe at the bottom of the Internet Explorer 7 window C Enable TLS 1.0 D Select Tools 2 Internet... using UAC? A Windows B Windows\ System32 C Application Data D Program Files 65348c05.fm Page 318 Monday, October 22, 20 07 9:45 PM 318 6 Chapter 5 Configuring Windows Vista Security Which of the following are prompt options for administrators running in Admin Approval mode? (Choose all that apply.) A Prompt for Consent B Request Domain Consent C Elevate Without Prompting D Prompt for Credentials 7 Which service... Checking is turned off, it will not utilize the Microsoft URL Reputation Service available on the Internet This list is updated frequently 4 B, C Standard User and Administrator are the two main types of user accounts in Windows Vista 5 C The Application Data folder, found in Windows 2000 and XP, cannot be configured for a virtual redirect upon failure in Windows Vista 6 A, C, D All of these are valid prompt... user’s knowledge Windows Vista ships with UAC, which we also explored in this chapter UAC provides a new layer of security for performing administrative actions on Windows Vista machines Using UAC, you can prevent administrators from making mistakes and provide a mechanism for standard users and applications to have their rights temporarily elevated We talked about Windows Update Using Windows Update,... outgrown TCP/IP networking as it exists today; enter IPv6 Windows Vista introduces huge improvements in the area of networking as compared to its predecessors In this chapter, we will look at configuring Windows Vista to work with these and other network technologies Exploring the Network and Sharing Center At the center of the networking world in Windows Vista is the new Network and Sharing Center This is...65348c05.fm Page 308 Monday, October 22, 20 07 9:45 PM 308 Chapter 5 Configuring Windows Vista Security FIGURE 5.39 Windows Update, showing two optional updates are available FIGURE 5.40 The list of available updates via Windows Update 65348c05.fm Page 309 Monday, October 22, 20 07 9:45 PM Protecting Data 309 Copy Details This will copy the text of the details to... Account Control Know what UAC is and how it helps to secure Windows Vista Be familiar with the various settings and prompts that you will encounter in UAC Know where to go to change UAC settings Be familiar with Admin Approval mode Know how to use Windows Update to apply security patches and updates Understand how to configure Windows Update Know that Windows Update requires Internet access to communicate... the 1.5GB primary partition Then create the partition to be used for Windows Vista After Windows Vista is installed, you can initialize BitLocker encryption by going to Control Panel, clicking Security, and then clicking BitLocker Drive Encryption From the BitLocker Drive Encryption page, you can turn on BitLocker and use the wizard to guide you through the process The wizard will have you initialize . (continued) 65348c05.fm Page 299 Monday, October 22, 20 07 9:45 PM 300 Chapter 5  Configuring Windows Vista Security Configuring User Account Control Windows Vista introduces a new security feature, known. information on the Internet. 65348c05.fm Page 3 07 Monday, October 22, 20 07 9:45 PM 308 Chapter 5  Configuring Windows Vista Security FIGURE 5.39 Windows Update, showing two optional updates are. update before it causes any problems. Windows Vista comes with the new and improved Win- dows Update applet. In previous versions of Windows, users would go to the Windows Update website to obtain