340 likes | 463 Views
Windows 8 After & Beyond. Raymond P. L. Comvalius. About the speaker. Raymond P. L. Comvalius Consultant, trainer and author MVP Windows Expert IT Pro sinds 2011 raymond.comvalius@nextxpert.nl. Text/Icon/Pic. @ nextxpert. About this session. After & Beyond Windows to Go
E N D
Windows 8 After & Beyond Raymond P. L. Comvalius
About the speaker Raymond P. L. Comvalius Consultant, trainer and author MVP Windows Expert IT Pro sinds 2011 raymond.comvalius@nextxpert.nl Text/Icon/Pic @nextxpert
About this session After & Beyond Windows to Go User Environment Virtualization User Account Control Enhanced Protected Mode 1.0 33 slides 5demos 0 minutes of Q&A 100% cloud free
Windows to Go Start Windows 8 vanaf USB-stick Liefst USB 3.0 voor performance Blokkeer interne schijven Drivers Direct Access BitLocker Waarom niet op JOU computer?
Building Windows to Go Tools Diskpart DISM BcdBoot Windows 8 Image Notepad Text/Icon/Pic
Demo Maakeen Windows to Go stick
User State Virtualization? 2009 White Paper: Folder Redirection Offline Folders Roaming Profiles
User Environment Virtualization 2012: New addition to MDOP UE-V (Hoe spreekikdituit?) MS alternatiefvoor roaming profiles Integratie met App-V en Remote Desktop
UE-V requirements • OS: • Windows 7 • Windows Server 2008 R2 • Windows 8 • Windows 8 Server • A shared folder per user • A shared folder for SettingsTemplates • Offlline Files for offline use • UE-V Agent Software on the client
UE-V Management • UE-V Generator • XML Settings template • Tools • WMI • Registry • PowerShell Text/Icon/Pic
Built-in Templates • Office 2010 • IE9 & 10 • Windows Settings • Themes • Ease of Access • Windows Accessoires • Notepad • Paint • Wordpad • Etc.
Triggers • Windows • Log on & Log off • Lock & Unlock • Remote Session start • Applications • Application Start & Stop
UE-V Pro’s & Con’s • Pro • Eindelijk white list voor roaming settings • Weinigvereisten • Simpelteimplementeren • Con • Weinig settings templates • Niet in het OS • Beperkt tot bestanden in %userprofile% • Kopieertalleenstatischeinformatie
Demo User Environment Virtualization
The Administrator The account named ‘administrator’ An Administrator Your name with administrator privileges Protected Administrator AKA: ‘Administrator in Admin Approval Mode’ Standard User Your name without administrator privileges Windows User Types
Standardizing the User Token • Administrators • Backup Operators • Power Users • Network Configuration Operators User-SID Local/Builtin Group SIDs Group Policy CreatorOwners Schema Admins Enterprise Admins Denied RODC Password Replication Group Domain Group SIDs • Create a token object • Act as part of the operating system • Take ownership of files and other objects • Load and unload device drivers • Back up files and directories • Restore files and directories • Impersonate a client after authentication • Modify an object label • Debug programs Mandatory Label Rights/Privileges
Demo Analyse van het User Access Token
User Account Control – “Best Practice” • Uitschakelen • Metro Apps doen het nietmeer • IE verliest “Protected Mode” • Password to Elevate • Kansvoor malware
Integrity Levels • Mandatory Access Control • Levels are part of the ACLs and Tokens • Lower level object has limited access to higher level objects • Used to protect the OS and for Internet Explorer Protected Mode Medium (Default) System High Low IE Protected Mode Standard Users Administrators Services
Standardizing the User Token User-SID Local/Builtin Group SIDs Domain Group SIDs • Integrity level: High (Elevated Token) Mandatory Label • Integrity level: Medium Rights/Privileges
IE protected mode • Only with User Account Control enabled • iexplore.exe runs with Low Integrity Level • User Interface Privilege Isolation (UIPI) Internet Explorer 9 Internet Explorer 8
IE Broker mechanism iexplore.exe Protected-mode Broker Object UI frame Command Bar Favorites Bar Medium Integrity Level Protected Mode = Off Low Integrity Level Protected Mode = On iexplore.exe (tab process n) iexplore.exe (tab process 1) Tab n Tab n Tab 1 Tab 1 Toolbar Extensions Toolbar Extensions Trusted Sites Internet/Intranet ActiveX Controls ActiveX Controls Browser Helper Objects Browser Helper Objects
Demo Integrity Levels
Enhanced Protected Mode • Preventietegen cross-zone attacks • “Cross-Site-Request-Forgery (CSRF)” • “Intranet Port Scanning” • Standaard in Metro Internet Explorer • Bescherming van Intranet resources • 127.0.0.1 vslocalhost
AppContainer • Voorprogrammeurs in de Metro UI • Voorafmoetbekendzijnwat Apps mogen: • documentLibrary • musicLibrary • videoLibrary • picturesLibrary • microphone • Webcam • removableStorage • Location • Proximity • internetClient • internetClientServer • textMessaging • privateNetworkClient • privateNetworkClientServer • certificates
Demo Enhanced Protected Mode
Defining the business case Form factors Metro Interface Security Apps Text/Icon/Pic
Weetwaar je aanbegint Services Infra Internet Access Mail UnifiedComms Remote Desktop App-V SCCM Intranet AV Mgt File Svc Werkplek PKI HD- encr Layeredapps Business apps Firewall Office Middle ware Base apps AV MgtAgents AD Client Operating System (Windows 8) IE Profile Mgt Config Deploy Drivers Hardware Print Svc LAN Wifi 3G Remote Access