250 likes | 671 Views
Security Features in Microsoft® Windows® XP. James Noyce, Senior Consultant Security Solutions Team, Business Critical Services Microsoft Security Solutions, Feb 4, 2003. Agenda. Windows XP Security Features What’s New Since Windows 2000 Drill down into Secure Wireless Networking
E N D
Security Features in Microsoft® Windows® XP James Noyce, Senior Consultant Security Solutions Team, Business Critical Services Microsoft Security Solutions, Feb 4, 2003
Agenda • Windows XP Security Features • What’s New Since Windows 2000 • Drill down into • Secure Wireless Networking • Group Policy • Software Restriction Policies • Internet Connection Firewall
Security Is Only As Strong As The Weakest Link • Technology is neither the whole problem nor the whole solution • Secure systems depend upon Technology, Processes and People
Technology, Process, People Baseline technology Standards, Encryption, Protection Product security features Security tools and products Planning for security Prevention Detection Reaction Dedicated staff Training Security - a mindset and a priority
Users and Groups Rights and Permissions Kerberos Crypto API Data Protection API Screen Saver Password Digital Certificates Smart Card Logon Remote Access Auditing IP Security Encrypting File System Group Policy 802.1x Network Authentication Credentials Manager Software Restriction Policies Internet Connection Firewall Windows XP Security Features Builds on Windows 2000 Professional Security Features
Existing Security Features • Users and Groups • Rights and Permissions • Kerberos • Crypto API • Data Protection API • Screen Saver Password
Enhanced Security Features • Digital Certificates • *Auto enrolment and renewal for users • Smart Card Logon • Supports Remote Desktop • IP Security (IPSec) • Stronger D/H key exchange • NAT traversal
Enhanced Security Features • Auditing • *More granular operation based auditing • Remote Access (VPN, DUN and PPoE) • Leverages Internet Connection Firewall • L2TP/IPSec over NAT • Group Policy • Increased number of policy settings • Resultant Set of Policy (RSoP)
Password Policy Lockout Policy Kerberos Policy Audit Policy User Rights Security Options (Registry Values) Event Log Settings Restricted Groups System Services (start-up mode and ACLs) Registry ACLs File System ACLs Group Policy
Security Configuration Toolset • Use GPEDIT.MSC to edit Local Group Policy • Use SECPOL.MSC to edit Local Security Policy • Security Configuration and Analysis (SCA) to perform auditing and handle templates • Use SCA to import/export security templates (.INF files) for distribution via Group Policy
Enhanced Security Features • Encrypting File System • Support for AES • EFS over WebDAV • Shared EFS • Misc… • Controlled network access • Offline file synchronisation
New Security Features • 802.1x Network Authentication • Credentials Manager • Software Restriction Policies • Internet Connection Firewall
802.1x Network Authentication • Secure wired and wireless networks from unauthorised access • Do not confuse with 802.11b/802.11x/etc… • Imagine authenticating computer / user to the network port on the wall • Then picture the accessing the network port via wireless…
802.1x Network Authentication • Supports password based (PEAP) and certificate based (EAP-TLS) credentials • Dynamic, rotating WEP keys • Requires backend infrastructure • Internet Authentication Service (IAS) • Domain Controller • Certificate Authority
802.1x Network Authentication LAN Access Authentication And Policy Ethernet Switch Active Directory IAS/RADIUS Server PKI Server WLAN Access Auditing Wireless Access Point
Credentials Manager • Users receive seamless access resources for which they have valid credentials • Provide a common UI for gathering credentials • Provide per user safe storage of related credentials • Unlock those credentials using your user logon
Credentials Manager • Secure roaming storage for user credentials • Username, password • X.509 certificates (smart cards) • Passport
Software Restriction Policies • Restricts execution of unmanaged code • WIN32, scripts, etc… • Not to be confused with managed code restrictions in the .NET Framework
Internet Connection Firewall • Provides baseline intrusion prevention • Protects against scans for information • Denies all unsolicited inbound traffic • Stateful inspection of traffic • Configurable filtering and logging • Enabled or disabled via location aware Active Directory group policy
Summary • Most security features build upon what was present in Windows 2000 Professional • New security features simplify security management and reduce risk
Next Steps • Top 5 Web Resources http://www.microsoft.com/windowsxp/pro/techinfo/ http://www.microsoft.com/technet/prodtechnol/winxppro/default.asp http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/prork_overview.asp http://www.nsa.gov/snac/winxp/download.htm http://www.microsoft.com/security http://www.microsoft.com/uk/security