Session 1: Security Enhancements in Windows Vista 33 What Are the NAP Components? Network Policy Server (NPS) is the main component in NAP and is a component of Windows Server “Longhorn”. NPS serves as a central point where health policies can be checked. NPS also coordinates Active Directory queries required for health policy checks. Internet Authentication Service (IAS), found in previous versions of Windows Server, has been replaced with NPS. Each type of NAP enforcement requires an enforcement client (EC) on the network node to negotiate health compliance. Each EC is specific to the type of NAP enforcement. For example, DHCP enforcement requires a DHCP NAP EC. The required ECs are part of Windows Vista and may also be released for Windows XP SP2. IPsec Enforcement IPsec enforcement limits communication on your network to computers that are compliant with health policy requirements. This is the strongest form of NAP enforcement. A health certificate server and an IPsec NAP EC are required for IPsec enforcement. The health certificate server issues X.509 certificates to clients when they are determined to be compliant with the health policy requirements. These certificates are then used to authenticate NAP clients when they initiate IPsec-secured communications with other NAP clients on the network. 34 Session 1: Security Enhancements in Windows Vista 802.1X Enforcement 802.1X enforcement comprises an NPS server and an EAPHost NAP EC component. Using 802.1X enforcement, an NPS server instructs an 802.1X access point (an Ethernet switch or a wireless access point) to place a restricted access profile on the 802.1X client until it performs a set of remediation functions. A restricted access profile can consist of a set of IP packet filters or a virtual LAN (VLAN) identifier to confine the traffic of an 802.1X client. 802.1X enforcement provides strong limited network access for all computers accessing the network through an 802.1X connection. VPN Enforcement Virtual private network (VPN) enforcement comprises a VPN NAP Enforcement Server (ES) component and a VPN NAP EC component. Using VPN enforcement, VPN servers can enforce health policy requirements any time a computer attempts to make a VPN connection to the network. VPN enforcement provides strongly limited network access for all computers accessing the network through a VPN connection. DHCP Enforcement DHCP enforcement comprises a DHCP NAP ES component and a DHCP NAP EC component. Using DHCP enforcement, DHCP servers can enforce health policy requirements any time a computer attempts to lease or renew an IP address configuration on the network. DHCP enforcement is the easiest enforcement to deploy because all DHCP client computers must lease IP addresses. However DHCP enforcement relies on entries in the IP routing table, so it is the weakest form of limited network access in NAP. Session 1: Security Enhancements in Windows Vista 35 What Are the NAP Implementation Scenarios? NAP is a flexible solution for enforcing health requirements on network computers before allowing access. Some of the scenarios where NAP can be used are: • Monitor the health of roaming portable computers. While portable computers are away from the corporate network, they might not receive the most recent software updates or configuration changes. In addition, portable computers may be infected with viruses when they are exposed to unprotected networks such as the Internet. You can use NAP to verify portable computer health each time a portable computer connects to the corporate network either remotely through a VPN connection or locally. • Ensure the health of desktop computers. Desktop computers that do not have the most recent updates are at a higher risk of virus infection from Web sites, e-mail, and files in shared folders. You can use NAP to verify that desktop computers have the most recent updates before allowing them to connect to the network. • Determine the health of visiting portable computers. Organizations frequently need to allow consultants and guests access to their private networks. The portable computers that these visitors bring might not meet network requirements and can present health risks. You can use NAP to limit visiting portable computers to a restricted network. 36 Session 1: Security Enhancements in Windows Vista • Verify the health of unmanaged home computers. Unmanaged home computers provide an additional challenge to network administrators because they do not have physical access to these computers. Lack of physical access makes enforcing compliance with network requirements (such as the use of antivirus software) more difficult. Verifying the health of these computers is similarly challenging. You can use NAP to check for required programs, registry settings, or files before allowing home computers to access the network by using a VPN connection. Session 1: Security Enhancements in Windows Vista 37 Internet Explorer 7 Security Enhancements Introduction Applications that communicate on the Internet are particularly vulnerable to security flaws because they are exposed to a wide variety of data from unprotected networks. If any flaw is found in an Internet-facing application, hackers can quickly exploit it. Internet Explorer 7 includes many improvements to make Web browsing more secure. Objectives After completing this section, you will be able to: • Describe the threats to Internet Explorer. • Understand Internet Explorer Zones. • Describe how Protected Mode reduces security vulnerabilities. • Describe how Internet Explorer 7 blocks pop-up windows. • Understand the Phishing Filter. 38 Session 1: Security Enhancements in Windows Vista What Are the Threats to Internet Explorer? Internet Explorer and other Web browsers are exposed to more security threats than most software because they are used to retrieve information directly from the Internet. Hackers can create Web sites that exploit known vulnerabilities. Just visiting a Web site that takes advantage of a vulnerability can cause malware to be installed or change system settings. In rare cases, there are unknown vulnerabilities that are discovered and used by hackers for a period of time before they become well known. Most Internet Explorer vulnerabilities are a result of scripts being included as part of the Web page. Many Web pages include JavaScript or VBScript to create dynamic Web page elements. However, if the scripting engine in Internet Explorer does not handle certain coding properly, a hacker may be able to run arbitrary code on the workstation or perform other tasks. Other Internet Explorer vulnerabilities are the result of specially crafted image files or Web page content that confuse the components that are supposed to render them. When the image file or Web page content is rendered incorrectly, malware can be installed. The best way to reduce Internet Explorer vulnerabilities is by applying updates when they are available. Updates are used to eliminate known vulnerabilities. Session 1: Security Enhancements in Windows Vista 39 What Are Internet Explorer Zones? Internet Explorer provides a wide variety of security options that you can configure. These security options define the rules for how to handle content such as Microsoft ActiveX® controls or scripting in Web pages. Internet Explorer zones let you configure different security options for categories of Web sites. Each zone is a category of Web sites. The Internet Explorer zones are: • Internet. All Web sites not specifically included in another zone are part of the Internet zone. The default security level for this zone is Medium-high, which is suitable for viewing most Web site content. • Local intranet. For Windows Vista computers joined to a domain, the Local intranet zone includes all computers that are part of the domain. For Windows Vista computers that are not joined to a domain, the Local intranet zone is not used. The default security level for this zone is Medium-low to allow intranet applications that require advanced scripting options and ActiveX controls to function properly. • Trusted sites. You must specifically add sites to the Trusted sites zone. No sites are in the Trusted sites zone by default. You can use the Trusted sites zone for partner Web sites that need to run advanced scripting and ActiveX controls to run properly. The default security level for this zone is Medium. 40 Session 1: Security Enhancements in Windows Vista • Restricted sites. You must specifically add sites to the Restricted sites zone. No sites are in the Restricted sites zone by default. You can use the Restricted sites zone for Web sites that you are concerned might be dangerous, or just to stop scripting on Web pages that you find annoying. The security level for this zone is High and cannot be lowered except by using custom settings. Session 1: Security Enhancements in Windows Vista 41 What Is Protected Mode? Protected Mode is a new feature in Internet Explorer 7 that reduces the impact of vulnerabilities that have not been corrected. When Protected Mode is in use for an Internet Explorer zone, Internet Explorer runs as a low integrity process. As a low integrity process, Internet Explorer can only modify low integrity resources, which is a very limited area. Integrity levels are a new feature in Windows Vista that are added to the access control list (ACL) of objects. Traditionally, objects such as files and registry keys contained only user and group permissions in the ACL. Integrity levels have been added as an additional security mechanism to control which processes are able to access resources. Low Integrity Processes Low integrity processes can only write to folders, files, and registry keys that have been assigned a low integrity mandatory label. As a result, Internet Explorer and extensions run in Protected Mode can only write to low integrity locations, such as the new low integrity temporary Internet files folder, the History folder, the Cookies folder, the Favorites folder and the Windows temporary file folders. Any resources not specifically assigned an integrity level are considered medium integrity level. Furthermore, the Protected Mode process will run with a low desktop integrity level when Windows Vista ships, which will prevent it from sending specific window messages to higher integrity processes. 42 Session 1: Security Enhancements in Windows Vista By preventing unauthorized access to sensitive areas of a user's system, Protected Mode limits the amount of damage that can be caused by a compromised Internet Explorer process. An attacker cannot, for example, silently install a keystroke logger to the user's Startup folder. Likewise, a compromised process cannot manipulate applications on the desktop through window messages. Backward Compatibility Some Web applications require backward compatibility because they assume that they have greater privileges than a low integrity process. To accommodate the need for backward compatibility, Internet Explorer can employ redirection or elevate privileges. Redirection takes access attempts such as writing files and registry keys in medium integrity locations and redirects them to low integrity locations. Privilege elevation asks for a user’s consent before elevating to access resources outside of the low integrity locations. [...]... phishing site collects information for criminals to steal money or perform identity theft Most phishing attempts start with an e-mail message asking users to click a link and verify their information or log on Detecting Phishing Sites The Phishing Filter performs three tasks to detect phishing sites: • The Web site addresses you visit are compared to a list of known legitimate Web sites to ensure legitimate... page If the Web site you are visiting contains characteristics common to a phishing Web site, but is not on the list of known phishing Web sites, a warning is displayed in the information bar 48 Session 1: Security Enhancements in Windows Vista Reporting Phishing Sites Within the Phishing Filter menu, users can report a potential phishing site Microsoft verifies phishing sites before they are added... Allow pop-ups from secure sites This setting automatically allows pop-up windows for sites accessed with the HTTPS protocol Non-HTTPS sites are treated the same as when the Medium setting is selected Pop-up windows are not blocked for sites in the Local intranet or Trusted sites zones 46 Session 1: Security Enhancements in Windows Vista Demonstration: Configuring the Pop-up Blocker In this demonstration,... pop-up windows • You can configure how sensitive the Pop-up Blocker is Session 1: Security Enhancements in Windows Vista 47 What Is the Phishing Filter? The Phishing Filter is a new feature in Internet Explorer 7 that helps detect phishing Web sites A phishing Web site is designed to look like a legitimate Web site that collects personal information or logon information, such as an online banking site... a low privilege process 44 Session 1: Security Enhancements in Windows Vista How Internet Explorer 7 Prevents Pop-Up Windows Internet Explorer 7 includes a Pop-up Blocker to stop most pop-up windows A pop-up window is a small Web browser window that appears on top of the Web site you are viewing Pop-up windows often open as soon as you visit a Web site and are usually used for advertising When a pop-up... ensure legitimate sites are not blocked • The Web sites you visit are analyzed to see if they have the characteristics of a phishing Web site • The Web site addresses you visit are compared to a list of known phishing Web sites If the site you are visiting is on the list of reported phishing Web sites, a warning page is displayed From the warning page, you can select to continue to the Web site or close... Security Enhancements in Windows Vista 45 You can configure the filtering level for Pop-up Blocker as: • High: Block all pop-ups This setting blocks all pop-up windows, including those that are created by clicking a link • Medium: Block most automatic pop-ups This setting blocks most pop-up windows, but allows pop-up windows that are triggered when you click a link • Low: Allow pop-ups from secure sites... known phishing sites However, if your Web site is incorrectly listed as a phishing site, you can also report the incorrect listing to Microsoft for removal Session 1: Security Enhancements in Windows Vista 49 Demonstration: Configuring the Phishing Filter In this demonstration, you will see how you can: • Configure the Phishing Filter Key Points • The Phishing Filter prevents malicious Web sites from impersonating... malicious Web sites from impersonating legitimate Web sites and stealing your personal information 50 Session 1: Security Enhancements in Windows Vista Data Protection Features Introduction Traditionally, it has been difficult to protect data that moves outside of the enterprise As soon as a portable computer has been stolen or a file sent via e-mail, the corporate information technology department no longer...Session 1: Security Enhancements in Windows Vista 43 Demonstration: Configuring Protected Mode In this demonstration, you will see how you can: • Enable Protected Mode for all zones • Configure customized security settings Key Points • Internet Explorer categorizes Web sites into zones • Each zone has independent security settings • Internet Explorer 7 has a new Protected . default security level for this zone is Medium. 40 Session 1: Security Enhancements in Windows Vista • Restricted sites. You must specifically add sites to the Restricted sites zone. No sites are. NAP enforcement. For example, DHCP enforcement requires a DHCP NAP EC. The required ECs are part of Windows Vista and may also be released for Windows XP SP2. IPsec Enforcement IPsec enforcement. Phishing Sites The Phishing Filter performs three tasks to detect phishing sites: • The Web site addresses you visit are compared to a list of known legitimate Web sites to ensure legitimate sites