Least Privilege Security for Windows 7, Vista and XP. Secure desktops for regulatory compliance and business agility

Spis treści książki

• Least Privilege Security for Windows 7, Vista and XP
  • Table of Contents
  • Least Privilege Security for Windows 7, Vista and XP
  • Credits
  • About the Author
  • About the Reviewers
  • Preface
    • What this book covers
    • What you need for this book
    • Who this book is for
    • Conventions
    • Reader feedback
    • Customer support
      • Errata
      • Piracy
      • Questions
  • 1. An Overview of Least Privilege Security in Microsoft Windows
    • What is privilege?
    • What is Least Privilege Security?
      • Limiting the damage from accidental errors with Least Privilege Security
      • Reducing system access to the minimum with Least Privilege Security
    • Least Privilege Security in Windows
      • Windows 9.x
      • Windows NT (New Technology)
      • Windows 2000
      • Windows XP
      • Windows Vista
      • Windows 7
    • Advanced Least Privilege Security concepts
      • Discretionary Access Control
      • Mandatory Access Control
      • Mandatory Integrity Control
      • Role-based Access Control
    • Least Privilege Security in the real world
    • Benefits of Least Privilege Security on the desktop
      • Change and configuration management
      • Damage limitation
      • Regulatory compliance
      • Software licensing
    • What problems does Least Privilege Security not solve?
    • Common challenges of Least Privilege Security on the desktop
      • Application compatibility
      • System integrity
      • End user support
    • Least Privilege and your organizations bottom line
      • Determining the affect of Least Privilege Security on productivity
      • Reducing total cost of ownership
      • Improved security
    • Summary
  • 2. Political and Cultural Challenges for Least Privilege Security
    • Company culture
      • Defining company culture
      • Culture shock
      • Culture case studies
        • Company A
        • Company B
    • Getting support from management
      • Selling Least Privilege Security
        • Using key performance indicators
        • Using key risk indicators
        • Mapping CSFs to KPIs
        • Security metrics
        • Threat modeling
        • Reducing costs
        • Security adds business value
      • Setting an example
    • User acceptance
      • Least Privilege Security terminology
      • Justifying the decision to implement Least Privilege Security
    • Applying Least Privilege Security throughout the enterprise
      • Deciding whom to exempt from running with a standard user account
        • What not to do
    • Managing expectations
      • Service catalog
      • Chargebacks
    • Maintaining flexibility
    • User education
    • Summary
  • 3. Solving Least Privilege Problems with the Application Compatibility Toolkit
    • Quick compatibility fixes using the Program Compatibility Wizard
      • Applying compatibility modes to legacy applications
      • Program Compatibility Wizard
      • Program Compatibility Assistant
        • Disabling the Program Compatibility Assistant
        • Excluding executables from the Program Compatibility Assistant
    • Achieving application compatibility in enterprise environments
      • Compatibility fixes
        • Modifying applications using shims
        • Enhancing security using compatibility shims
        • Deciding whether to use a shim to solve a compatibility problem
          • Vendor support
          • In-house applications
          • Kernel-mode applications
      • Creating shims for your legacy applications
      • Solving compatibility problems with shims
        • LUA compatibility mode fixes in Windows XP
          • LUARedirectFS
          • LUARedirectFS_Cleanup
          • LUARedirectReg
          • LUARedirectReg_Cleanup
          • LUATrackFS
        • Creating your own custom database
        • Maxthon on Windows XP
        • Working with other commonly used compatibility fixes
          • ForceAdminAccess
          • CorrectFilePaths
          • VirtualRegistry
            • ADDREDIRECT
      • Working with custom databases
        • Adding new shims to your custom database (merging custom databases)
        • Temporarily disabling compatibility fixes
        • Installing a custom database from Compatibility Administrator
        • Deploying a database to multiple devices
          • Finding the GUID of custom database
          • SDBINST command-line switches
          • Distributing or updating a custom database using Group Policy
    • Summary
  • 4. User Account Control
    • User Account Control components
      • Elevation prompts
      • Protected administrator (PA)
      • Windows Integrity Control and User Interface Privilege Isolation
      • Application Information Service
      • Filesystem and registry virtualization
      • Internet Explorer Protected Mode
    • The shield icon
    • User Account Control access token model
      • Standard user access token
      • Protected administrator access token
    • Conveniently elevating to admin privileges
      • Automatically launching applications with admin privileges
      • Consent and credential elevation prompts
        • • Consent prompts
          • Credential prompts
      • Application-aware elevation prompts
        • • Windows Vista
          • Publisher verified (signed)
          • Publisher not verified (unsigned)
          • Publisher blocked
      • Administrator accounts
      • Elevation prompt security
        • • Securing the desktop
          • Providing extra security with the Secure Attention Sequence (SAS)
      • Securing elevated applications
        • Windows Integrity Mechanism
          • Integrity policies
          • Assigning integrity levels
        • User Interface Privilege Isolation
          • User Interface Privilege Level
          • UIPI and accessibility
      • Achieving application compatibility
        • Application manifest
        • Power Users
        • Windows Logo Program
          • Certification requirements
      • Filesystem and registry virtualization
        • Filesystem virtualization
          • Virtual root directory
        • Registry virtualization
          • Virtual root registry
          • Using Task Manager to determine whether a process is using UAC filesystem and registry virtualization
      • Windows Installer and User Account Control
        • Automatically detecting application installers
      • Controlling User Account Control through Group Policy
        • Admin Approval Mode for the built-in administrator account
        • Allowing UIAccess applications to prompt for elevation without using the secure desktop
        • Behavior of the elevation prompt for administrators in Admin Approval Mode
        • Behavior of the elevation prompt for standard users
        • Detect application installations and prompt for elevation
        • Only elevate executables that are signed and validated
        • Only elevate UIAccess applications that are installed in secure locations
        • Run all administrators in Admin Approval Mode
        • Switch to the secure desktop when prompting for elevation
        • Virtualize file and registry write failures to per-user locations
      • What's new in Windows 7 User Account Control
        • User Account Control slider
        • Auto-elevation for Windows binaries
          • Executables
          • Microsoft Management Console (MMC)
          • Component Object Model (COM) objects
        • More settings accessible to standard users
    • Summary
  • 5. Tools and Techniques for Solving Least Privilege Security Problems
    • Granting temporary administrative privileges
      • Granting temporary administrative access using a separate logon (Vista and Windows 7 only)
        • Creating three support accounts
        • Creating a policy setting to automatically delete the support account at logoff
        • Testing the support accounts
        • Putting into practice
      • Granting temporary administrative access without a separate logon
        • Creating a batch file to elevate the privileges of the logged in user
        • Testing the procedure
        • Limitations of the procedure
    • Bypassing user account control for selected operations
      • Using Task Scheduler to run commands with elevated privileges
        • Running the Scheduled Task as a standard user
    • Configuring applications to run with elevated privileges on-the-fly
    • Solving LUA problems with Avecto Privilege Guard
      • Defining application groups
      • Defining access tokens
      • Configuring messages
      • Defining policies
      • Solving LUA problems with Privilege Manager
        • Defining Privilege Manager rules
          • Assigning permissions
          • Adding or removing individual privileges
          • Specifying integrity levels
    • Suppressing unwanted User Account Control prompts
      • Modifying application manifest files
        • Editing manifests using Resource Tuner
        • Modifying manifests using the RunAsInvoker shim
    • Setting permissions on files and registry keys
      • Identifying problems using Process Monitor
      • Modifying permissions on registry keys and files with Group Policy
    • Fixing problems with the HKey Classes Root registry hive
      • Using Registry Editor to copy keys from HKCR to HKCU
    • Mapping .ini files to the registry
    • Using LUA Buglight to identify file and registry access violations
    • Summary
  • 6. Software Distribution using Group Policy
    • Installing software using Group Policy
      • Installing software using Windows Installer
      • Deploying software using Group Policy
      • Comparing Group Policy Software Installation with system images for software distribution
        • Choosing between thin and fat images
      • Preparing applications for deployment
        • Extracting .msi files from setup packages
          • Using WinRAR or 7-Zip to extract .msi files
        • Using command-line switches for silent installs and customization
        • Deploying system changes using Group Policy startup scripts
        • Creating an .msi wrapper
        • Repackaging an application with a legacy installer
          • Installing AdminStudio
          • Configuring AdminStudio's Repackager to run on a remote machine
          • Installing the remote repackager
          • Monitoring a legacy installation routine
      • Customizing an installation package
        • Customizing Acrobat Reader's MSI installer using Adobe Customization Wizard 9
      • Using the Distributed File System with GPSI
        • Creating a DFS namespace
        • Adding a folder to the namespace
      • Deploying software using GPSI
        • Configuring software installation settings
        • Targeting devices using WMI filters and security groups
          • Active Directory security groups
            • Creating a security group to filter a GPO
          • Windows Management Instrumentation filtering
      • Upgrading software with GPSI
      • Uninstalling software with GPSI
        • Removing software when it falls out of scope of management
        • Removing .msi packages from Group Policy Objects
    • Summary
  • 7. Managing Internet Explorer Add-ons
    • ActiveX controls
      • Per-user ActiveX controls
        • Changing the installation scope to per-user
      • Best practices
      • Deploying commonly used ActiveX controls
        • Deploying Adobe Flash and Shockwave Player
        • Deploying Microsoft Silverlight
      • ActiveX Installer Service
        • Enabling the ActiveX Installer Service
          • Using the GUI to install the ActiveX Installer Service
          • Using the command line to install the ActiveX Installer Service
        • Determining the ActiveX control host URL in Windows 7
        • Determining the ActiveX control host URL in Windows Vista
        • Configuring the ActiveX Installer Service with Group Policy
        • Testing the ActiveX Installer Service
    • Managing add-ons
      • Administrator approved controls
        • Determining the Class Identifier CLSID of an installed ActiveX control
        • Adding ActiveX controls to the Add-on List
    • Summary
  • 8. Supporting Users Running with Least Privilege
    • Providing support
      • Preparing to support least privilege
    • Troubleshooting using remote access
      • Troubleshooting for notebook users
        • The notebook challenge
        • Having the right tools in place
        • Notebook users who seldom visit the office
        • Setting out IT policy
        • Other functions the help desk might require
        • The last resort: An administrative backdoor for notebooks
    • Enabling and using command-line remote access tools
      • WS-Management
        • Configuring WS-Management with Group Policy
        • Connecting to remote machines using WS-Management
          • Running standard Windows commands as an administrator on remote computers
          • Enumerating information using Windows Management Instrumentation
          • Performing actions on remote computers as an administrator using WMI methods
          • Connecting to WS-Management 1.1 from Windows Server 2008 R2
          • Working with WS-Management security
      • Automating administration tasks using PowerShell Remoting
    • Enabling and using graphical remote access tools
      • Enabling Remote Assistance
        • Different types of Remote Assistance
        • Enabling Remote Assistance via Group Policy
        • Offering a computer unsolicited Remote Assistance: DCOM
        • Sending Remote Assistance invitations
        • Initiating Remote Assistance from the command line
        • Connecting to remote PCs using Easy Connect
          • Enabling Remote Assistance with Network Address Translation
      • Remote Desktop
      • Connecting to a remote computer using the Microsoft Management Console (MMC)
    • Configuring Windows Firewall to allow remote access
      • Creating a GPO for Windows Firewall in Windows 7
        • Importing Windows 7 Firewall rules to a GPO
        • Modifying the default Windows Firewall rules
        • Adding additional inbound exceptions for remote administration
        • Creating a WMI filter to restrict the scope of management to Windows 7
        • Linking the new GPO to the Client OU
        • Checking the GPO applies to Windows 7
      • Creating a GPO for Windows Firewall in Vista
        • Enabling the Remote Assistance and Remote Administration inbound exceptions for the Domain profile
        • Creating a WMI query for Windows Vista
      • Creating a GPO for Windows Firewall in Windows XP
        • Configuring GPO settings
        • Creating an exception for WS-Management
        • Creating an exception for Remote Desktop
        • Creating an exception for Remote Administration
        • Creating an exception for Remote Assistance
        • Creating a WMI filter to restrict the scope of management to Windows XP
        • Linking the new GPO to the Client OU
    • Summary
  • 9. Deploying Software Restriction Policies and AppLocker
    • Controlling applications
      • Blocking portable applications
      • Securing Group Policy
        • Preventing users from circumventing Group Policy
    • Implementing Software Restriction Policy
      • Creating a whitelist with Software Restriction Policy
        • Defining hash rules
        • Defining path rules
        • Trusting software signed by a preferred publisher (Certificate Rules)
        • Making exceptions for IE zones (Network/Internet Zone Rule)
      • Creating a whitelist with Software Restriction Policy
      • Configuring applications to run as a standard user
    • AppLocker
      • Automatically generating AppLocker rules
      • Manually creating an AppLocker rule to blacklist an application
      • Importing and exporting AppLocker rules
    • Summary
  • 10. Least Privilege in Windows XP
    • Installing Windows XP using the Microsoft Deployment Toolkit
      • Providing a Volume License product key for an MDT XP Task Sequence
    • Windows XP security model
      • Power users
      • Network Configuration Operators
      • Support_<1234>
      • User rights
        • Modifying logon rights and privileges
          • Logon rights
          • Privileges
    • CD burning
      • Third-party CD/DVD burning software
        • Nero Burning ROM
          • Installing Nero BurnRights
          • Configuring Nero BurnRights from the command line
        • Allowing non-administrative users to burn discs in CDBurnerXP
      • Additional security settings
        • Restricting access to removable media
    • ActiveX controls
      • Flash Player
      • Acrobat Reader
      • Silverlight
      • Other popular ActiveX controls
        • RealPlayer
        • QuickTime
        • Sun Java Runtime Environment
        • Alternatives to QuickTime and RealPlayer
    • Changing the system time and time zone
      • Changing the system time
      • Changing the time zone
        • Setting time zone registry permissions using a GPO
    • Power management
      • Managing power settings with Group Policy Preferences
        • Creating a GPO startup script to install GPP CSEs
        • Configuring power options using Group Policy Preferences
      • Configuring the registry for access to power settings
    • Managing network configuration
      • Configuring Restricted Groups
    • Identifying LUA problems using Standard User Analyzer
    • Summary
  • 11. Preparing Vista and Windows 7 for Least Privilege Security
    • The Application Compatibility Toolkit
      • Application Compatibility Manager
      • Installing and configuring ACT
    • Creating a Data Collection Package
      • Analyzing data collected by ACT
        • • The application attempted to store a file in a restricted location
          • The application attempted to store a file in a system location that was virtualized by Windows Vista
          • The application attempted to open a restricted registry key and write to a restricted registry location
          • The application attempted to store information under the HKEY_LOCAL_MACHINE\SOFTWARE registry hive
    • Printers and Least Privilege Security
      • Installing printers using Group Policy Preferences
      • Installing printers using Windows Server 2003 Print Management and Group Policy
      • Installing printers using a script
    • Logon scripts
      • Synchronizing the system time
      • Updating antivirus definitions
      • Changing protected system configuration
      • Mapping network drives and printers
      • Creating desktop shortcuts
    • Why do a desktop refresh from a technical perspective?
    • Different methods of reinstalling Windows
      • Manual, non-destructive install
      • Automated install
    • Reinstall Vista or Windows 7 with Least Privilege Security
      • Installing the Microsoft Deployment Toolkit
      • Creating a deployment share
      • Adding an operating system image
      • Adding core packages to our Lite Touch installation
        • • Creating a Lite Touch task sequence
      • Updating our deployment share
      • Preserving default local group membership
      • Refreshing our OS with the Windows Deployment Wizard
    • Summary
  • 12. Provisioning Applications on Secure Desktops with Remote Desktop Services
    • Introducing Remote Desktop Services
      • Installing Remote Desktop Session Host and Licensing roles
      • Controlling access to the Remote Desktop Server
      • Installing the Remote Desktop Gateway
        • Creating Connection (CAP) and Resource (RAP) Authorization Policies
        • Installing the RD Gateway SSL Certificate in Windows 7
        • Connecting to a Remote Desktop Server via an RD Gateway from Windows 7
      • Installing applications on Remote Desktop Servers
        • Publishing applications using Remote Desktop Services
          • Adding applications to the RemoteApp Manager
      • Managing Remote Desktop Services licenses
        • Understanding Remote Desktop Licensing
        • Revoking Per Device Remote Desktop Services Client Access Licences
        • Tracking Per User Remote Desktop Services Client Access Licences
      • Installing Remote Desktop Web Access
        • Configuring RSS for advertising RemoteApps in Windows 7
      • Understanding Remote Desktop and Virtual Desktop Infrastructures
      • Scaling with Remote Desktop Services
    • Summary
  • 13. Balancing Flexibility and Security with Application Virtualization
    • Microsoft Application Virtualization 4.5 SP1 for Windows desktops
      • Isolating applications with SystemGuard
        • Deploying App-V
          • Deploying App-V using the standalone model
          • Deploying App-V using the streaming model
          • Deploying App-V using the full infrastructure
      • Creating a self-service system with App-V for standard users
        • Enforcing security descriptors
        • Emulating Application Programming Interface (API)
        • Solving App-V compatibility problems with shims
      • Sequencing an application for App-V
        • Installing the sequencer
        • Installing the client
      • Streaming applications with an App-V Server
        • Installing Microsoft System Center Application Virtualization Streaming Server
      • Deploying and managing applications for users who never connect to the corporate intranet
      • Updating applications and Differential Streaming
        • Active Update
        • Override URL
    • VMware ThinApp
    • Summary
  • 14. Deploying XP Mode VMs with MED-V
    • Solving least privilege security problems using virtual machines
      • Virtual PC and Windows 7 XP Mode
        • Differentiating between App-V and XP Mode
        • Setting up Windows 7 XP Mode
        • Launching applications installed in XP Mode from the Windows 7 Start menu
        • Security concerns when running XP Mode
    • Microsoft Enterprise Desktop Virtualization (MED-V)
      • Installing MED-V 1.0 SP1
        • Installing the Image Repository
        • Installing the MED-V Server component
        • Installing the MED-V Management Console
      • Preparing a virtual machine for use with MED-V
      • Working with the MED-V Management Console
        • Importing a VM for testing
        • Creating a usage policy
        • Testing the workspace and usage policy
        • Packing the VM for use with the MED-V Server
        • Uploading the VM image to the MED-V Server
        • Testing the uploaded VM image
    • Summary
  • Index

pokaż cały spis treści

ukryj recenzje