Master Title Slide
Download
Report
Transcript Master Title Slide
Security Features in
Microsoft® Windows® XP
James Noyce, Senior Consultant
Security Solutions Team, Business Critical Services
Microsoft Security Solutions, Feb 4, 2003
Agenda
Windows XP Security Features
What’s New Since Windows
2000
Drill down into
Secure Wireless Networking
Group Policy
Software Restriction Policies
Internet Connection Firewall
Security Is Only As Strong
As The Weakest Link
Technology is neither the whole
problem nor the whole solution
Secure systems depend upon
Technology, Processes and People
Technology, Process, People
Baseline technology
Standards, Encryption, Protection
Product security features
Security tools and products
Planning for security
Prevention
Detection
Reaction
Dedicated staff
Training
Security - a mindset and a priority
Evolution of Windows Desktop Security
Microsoft Windows Security Enhancements
Security Feature
Windows 98
Windows 2000
Windows XP
Integrated Wireless
Networking
Add-on
New with Windows XP
Internet Connection Firewall
Available Third Party
New with Windows XP
Secure Networking (IPSec)
Standard
Standard
User-Level Security for
shared files, folders
Standard
Standard
Encrypting File System
Standard
Standard
Public Key Infrastructure
Standard
Standard
Group Policy Objects
Standard
Standard
Auditing
Standard
Standard
Smart Card Support
Available Third Party
Standard
Standard
Multi-User Support
Limited Support
Standard
Standard
Screen Saver Password
Protection
Standard
Standard
Standard
Strong Authentication
Limited Support
Standard
Standard
Windows XP Security Features
Users and Groups
Rights and
Permissions
Kerberos
Crypto API
Data Protection
API
Screen Saver
Password
Digital Certificates
Smart Card Logon
Remote Access
Auditing
IP Security
Encrypting File System
Group Policy
802.1x Network
Authentication
Credentials Manager
Software Restriction
Policies
Internet Connection
Firewall
Builds on Windows 2000 Professional Security Features
Existing Security Features
Users and Groups
Rights and Permissions
Kerberos
Crypto API
Data Protection API
Screen Saver Password
Enhanced Security Features
Digital Certificates
Smart Card Logon
*Auto enrolment and renewal for
users
Supports Remote Desktop
IP Security (IPSec)
Stronger D/H key exchange
NAT traversal
Enhanced Security Features
Auditing
Remote Access (VPN, DUN and PPoE)
*More granular operation based auditing
Leverages Internet Connection Firewall
L2TP/IPSec over NAT
Group Policy
Increased number of policy settings
Resultant Set of Policy (RSoP)
Active Directory Group
Policy
Group Policy
Password
Policy
Lockout Policy
Kerberos
Policy
Audit Policy
User Rights
Security
Options
(Registry
Values)
Event Log
Settings
Restricted
Groups
System Services
(start-up mode
and ACLs)
Registry ACLs
File System
ACLs
Security Configuration
Toolset
Use GPEDIT.MSC to edit Local Group
Policy
Use SECPOL.MSC to edit Local
Security Policy
Security Configuration and Analysis
(SCA) to perform auditing and handle
templates
Use SCA to import/export security
templates (.INF files) for distribution via
Group Policy
Enhanced Security Features
Encrypting File System
Support for AES
EFS over WebDAV
Shared EFS
Misc…
Controlled network access
Offline file synchronisation
New Security Features
802.1x Network Authentication
Credentials Manager
Software Restriction Policies
Internet Connection Firewall
802.1x Network Authentication
Secure wired and wireless
networks from unauthorised
access
Do not confuse with
802.11b/802.11x/etc…
Imagine authenticating computer /
user to the network port on the
wall
Then picture the accessing the
network port via wireless…
802.1x Network Authentication
Supports password based (PEAP)
and certificate based (EAP-TLS)
credentials
Dynamic, rotating WEP keys
Requires backend infrastructure
Internet Authentication Service (IAS)
Domain Controller
Certificate Authority
802.1x Network Authentication
LAN Access
Ethernet Switch
Authentication
And Policy
Active Directory
IAS/RADIUS Server
PKI Server
WLAN Access
Wireless Access Point
Auditing
Credentials Manager
Users receive seamless
access resources for which
they have valid credentials
Provide a common UI for
gathering credentials
Provide per user safe
storage of related
credentials
Unlock those credentials
using your user logon
Credentials Manager
Secure roaming storage for user
credentials
Username, password
X.509 certificates (smart cards)
Passport
Software Restriction Policies
Restricts execution of unmanaged code
WIN32, scripts, etc…
Not to be confused with managed code restrictions
in the .NET Framework
Internet Connection Firewall
Provides baseline intrusion prevention
Protects against scans for information
Denies all unsolicited inbound traffic
Stateful inspection of traffic
Configurable filtering and logging
Enabled or disabled via location aware
Active Directory group policy
Summary
Most security features build
upon what was present in
Windows 2000 Professional
New security features simplify
security management and
reduce risk
Next Steps
Top 5 Web Resources
http://www.microsoft.com/windowsxp/pro/techinfo/
http://www.microsoft.com/technet/prodtechnol/winxppro/default.asp
http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/prork_overvie
w.asp
http://www.nsa.gov/snac/winxp/download.htm
http://www.microsoft.com/security
http://www.microsoft.com/uk/security