List of Figures | Windows Vista Security. Securing Vista Against Malicious Attacks

Chapter 1: New Security Features

Figure 1-1: DEP can be enabled for all processes that are not specifically exempted.
Figure 1-2: Windows Defender is included in Windows Vista.
Figure 1-3: The new Windows logon process provides more granular hooks for enhancement.
Figure 1-4: The UAC elevation dialog box is on the secure desktop.
Figure 1-5: The new Event Log interface is a vast improvement.
Figure 1-6: Windows CardSpace can represent credentials for many sites as "cards."

Chapter 2: How Hackers Attack

Figure 2-1: Hydra automated password guessing program being used against a Telnet service
Figure 2-2: Cain & Able being used to crack Windows password hashes
Figure 2-3: Plain-text FTP passwords caught by Cain & Able using network traffic eavesdropping techniques
Figure 2-4: Milw0rm Web site
Figure 2-5: Metasploit Framework web interface
Figure 2-6: Bot phoning home

Chapter 3: Windows Infrastructure

Figure 3-1: Windows Vista boot sequence summary
Figure 3-2: New Trusted Platform Module (TPM) console
Figure 3-3: Initializing the Trusted Platform Module (TPM) chip
Figure 3-4: Creating a Trusted Platform Module (TPM) password
Figure 3-5: Saving the TPM password to media
Figure 3-6: TPM initialization in process
Figure 3-7: TPM and BitLocker group policy settings
Figure 3-8: Enabling BitLocker using the BitLocker Drive Encryption applet
Figure 3-9: BitLocker startup options
Figure 3-10: Saving BitLocker key to USB
Figure 3-11: Saving a BitLocker recovery key
Figure 3-12: Enabling BitLocker system check
Figure 3-13: Initial BitLocker encryption in process
Figure 3-14: Confirming BitLocker encryption status in disk management
Figure 3-15: Local Security Policy and GPO application order
Figure 3-16: DNS query order
Figure 3-17: Example of allowing a service to interact with the desktop
Figure 3-18: Example of a service sending a message after it fails more than two times
Figure 3-19: Tasklist /svc revealing svchost hosted processes
Figure 3-20: Example of Autoruns utility
Figure 3-21: Main Registry hives
Figure 3-22: Example HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Figure 3-23: Partial access token listing using Whoami /all

Chapter 4: User Account Control

Figure 4-1: UAC approval dialog box for administrator in admin-approval mode
Figure 4-2: Modifying or deleting files in %ProgramFiles% and %windir% does not work even as an administrator.
Figure 4-3: Administrators, by default, have a token that marks the Administrators SID for Deny.
Figure 4-4: A user can initiate elevation of a task by right-clicking the program and selecting "Run as administrator."
Figure 4-5: Elevation prompts are shown on the secure desktop by default.
Figure 4-6: An elevated process has a full administrative token.
Figure 4-7: An unsigned binary has a different elevation dialog box.
Figure 4-8: Unsigned driver installation dialog box
Figure 4-9: IE will prompt for installation of ActiveX controls.
Figure 4-10: The IE ActiveX Control installation prompt is not particularly useful.
Figure 4-11: The elevation prompt when running as a standard user
Figure 4-12: Elevated tasks run on the standard user's desktop.
Figure 4-13: The Windows Event Log shows the times in the local time zone, but computes them from the internally stored UTC time.
Figure 4-14: Task Manager uses a COM Moniker to allow users to use only a subset of the functionality without elevating.
Figure 4-15: Task manager launched elevated
Figure 4-16: Right-click on Windows Explorer.
Figure 4-17: Attempting to elevate Windows Explorer
Figure 4-18: Attempting to delete a protected file from an "elevated" Explorer window
Figure 4-19: You can turn off UAC with the User Accounts control panel applet.
Figure 4-20: Windows Vista supports Fast User Switching even on domain-joined computers.
Figure 4-21: You can use the elevate.exe application to elevate any application from a command line.
Figure 4-22: With the elevate.exe tool, it is easy to get an elevated command prompt anywhere.

Chapter 5: Managing Access Control

Figure 5-1: The Effective Permissions tab evaluates permissions for any user.
Figure 5-2: A NULL DACL means that the object has not been secured.
Figure 5-3: The Sharing tab received a makeover in Windows Vista.
Figure 5-4: ACL UI dialog box in Windows XP
Figure 5-5: ACL UI dialog box from Windows Vista
Figure 5-6: Modifying the audit settings in Windows Vista always requires elevation.
Figure 5-7: The Registry ACLs include an ACE for RESTRICTED in several places.

Chapter 6: Application Security

Figure 6-1: Security token for RPC Endpoint Mapper on Windows Vista
Figure 6-2: A single service process can host many services.
Figure 6-3: Sessions can have multiple window stations, which can have multiple desktops.
Figure 6-4: The ActiveX Installer Service configured to allow you to install the Adobe Flash Player
Figure 6-5: After the ActiveX Installer Service has been configured to allow installation, the user gets a simple installation dialog box.

Chapter 7: Vista Client Protection

Figure 7-1: A manual MSRT scan in progress
Figure 7-2: MSRT informs you when it finds and removes malware.
Figure 7-3: Windows Security Center allows a user to view or configure security features.
Figure 7-4: Windows Defender performing a scan
Figure 7-5: A Windows Defender warning
Figure 7-6: Windows Defender can be configured to run scheduled scans.
Figure 7-7: Windows Defender can log to the event log when it detects changes.
Figure 7-8: Windows Defender can perform heuristic scanning as well.
Figure 7-9: Windows Defender gives information on startup programs.
Figure 7-10: One of the best features of Windows Defender is that it gives you insight into the processes inside an Svchost.

Chapter 8: Securing Internet Explorer

Figure 8-1: Internet Explorer's Protected Mode can be enabled or disabled on a per zone basis.
Figure 8-2: Internet Explorer's status bar indicating that Protected Mode is enabled
Figure 8-3: Program prompting the user to run it outside of Protected Mode
Figure 8-4: Internet Explorer's phishing filter detecting a known phishing Web site
Figure 8-5: Internet Explorer's phishing filter warning about a possible phishing Web site
Figure 8-6: Microsoft's phishing filter online reporting form
Figure 8-7: Microsoft's phishing filter online reporting form challenge
Figure 8-8: Internet Explorer's Manage Add-ons feature
Figure 8-9: Internet Explorer detecting an installed incompatible Add-on application during startup
Figure 8-10: Internet Explorer detecting a Web site's invalid digital certificate
Figure 8-11: Example CardSpace entries
Figure 8-12: Internet Explorer security zones
Figure 8-13: Adding a Web site to the Local intranet zone
Figure 8-14: Internet Explorer asking for confirmation before letting a Web site use the Clipboard for pasting operations

Chapter 9: Introducing IIS 7

Figure 9-1: Representative example of a directory traversal attack
Figure 9-2: Example of clear text password caught in HTTP traffic
Figure 9-3: Installing IIS Features
Figure 9-4: Default IIS Web site
Figure 9-5: Default IIS application pools
Figure 9-6: Choosing between managed and unmanaged environments
Figure 9-7: Setting a custom application pool identity
Figure 9-8: Example of IIS 7 running multiple web applications, with a range of components
Figure 9-9: IIS Manager
Figure 9-10: IIS Manager with feature delegation option selected
Figure 9-11: Choosing the default delegation state
Figure 9-12: Configuring IIS Authentication option
Figure 9-13: Choosing IIS Authentication method
Figure 9-14: Enabling Web Application pool identity instead of IIS Anonymous User
Figure 9-15: Configuring the ASP.NET Impersonation setting
Figure 9-16: Selecting Handler Mappings in the IIS Manager
Figure 9-17: Choosing the appropriate Handler permission
Figure 9-18: Choosing handler focus
Figure 9-19: Configuring HTTP verbs
Figure 9-20: The Directory Browsing Feature in IIS Admin
Figure 9-21: Modifying Directory Browsing attributes
Figure 9-22: Selecting Modules Feature in IIS 7
Figure 9-23: Enabling or disabling specific modules in IIS 7

Chapter 10: Protecting E-mail

Figure 10-1: Screensavers are basically executables.
Figure 10-2: Moving the extension away from the file is often used to fool users.
Figure 10-3: File extensions are not a good way to make security decisions.
Figure 10-4: By hovering over a link in an e-mail, you can see where the link actually goes.
Figure 10-5: Many e-mail protocols are clear-text.
Figure 10-6: Windows Mail is very conspicuous about suspected phishing messages.
Figure 10-7: The anti-phishing features can be disabled or modified.
Figure 10-8: Windows Mail contains client-side junk-mail protection.
Figure 10-9: Windows Mail contains a "Safe sender" list feature.
Figure 10-10: The "blocked senders" list may primarily be useful to block messages from people you do not want to talk to.
Figure 10-11: You may block messages from a particular TLD.
Figure 10-12: You may block messages using certain character encodings.
Figure 10-13: Windows Mail stores all e-mail messages as text files.
Figure 10-14: Windows Mail can convert all messages to plain-text.
Figure 10-15: Windows Mail preserves the original HTML content as an HTML attachment.
Figure 10-16: You can also use plain-text for all outgoing messages.
Figure 10-17: Ensure that your mail client reads all mail in the Restricted sites zone.
Figure 10-18: For sites and e-mail messages in the Restricted Sites zone, the user is prompted for her username and password.
Figure 10-19: By default, the user will not be able to access high-risk file types.
Figure 10-20: An administrator can modify the behavior of the AM using Group Policy.

Chapter 11: Managing Windows Firewall

Figure 11-1: The architecture of the Windows Filtering Platform
Figure 11-2: When configuring a firewall rule, you can also configure IPsec.
Figure 11-3: Dialog box that a user might see when an application tries to connect out
Figure 11-4: The user will almost certainly never see this dialog box.
Figure 11-5: During setup, you have to select a firewall profile.
Figure 11-6: The Windows Firewall control panel
Figure 11-7: The Windows Firewall Settings dialog box
Figure 11-8: Windows Security Center
Figure 11-9: Windows Firewall with Advanced Security snap-in
Figure 11-10: Windows Firewall settings in Group Policy
Figure 11-11: You can also configure the Windows XP SP2 firewall settings in Group Policy.
Figure 11-12: Configuring the firewall to allow connections only from particular users
Figure 11-13: Building a program rule, Step 1
Figure 11-14: Enter the path to the program you wish to control.
Figure 11-15: We will require IPsec authentication.
Figure 11-16: Restricting connections to certain computers
Figure 11-17: Configure which profile the rule applies in.
Figure 11-18: Create a server-to-server connection security rule.
Figure 11-19: Leave the end-points as "Any IP addresses".
Figure 11-20: We want to request authentication.
Figure 11-21: Click the Customize button to select advanced authentication protocols.
Figure 11-22: Select Kerberos as your authentication protocol.
Figure 11-23: Customizing a rule by interface type
Figure 11-24: You can use a WMI filter to apply different Group Policy settings based on the operating system version.
Figure 11-25: Predefined rules exist for particular services.
Figure 11-26: Configure restrictions for dynamic RPC ports.

Chapter 12: Server and Domain Isolation

Figure 12-1: You can restrict connections to only particular users.
Figure 12-2: You can now specify which authentication protocols are preferred.
Figure 12-3: Configuring IPsec rules in prior versions of Windows was anything but easy.
Figure 12-4: The initial screen on the connection security rule wizard asks you to select a rule type.
Figure 12-5: First you define which connections you require authentication on.
Figure 12-6: You can customize authentication protocols.
Figure 12-7: Set the default authentication options in the firewall properties.
Figure 12-8: Select end-points for a server-to-server rule by IP address.

Chapter 13: Wireless Security

Figure 13-1: Typical Wi-Fi setup
Figure 13-2: Manually inputting a WEP key
Figure 13-3: Manually inputting a WPA2 key
Figure 13-4: Example WPA2 setup options at the access point
Figure 13-5: Configuring a WPA2-Enterprise connection
Figure 13-6: Using WPA2 with EAP-MSCHAPv2
Figure 13-7: Instruction EAP-MSCHAPv2 to use user's default logon name and password
Figure 13-8: Configuring WPA2 to require computer certificate authentication
Figure 13-9: Network stumbler in action
Figure 13-10: Disabling SSID broadcasting on access point

Chapter 14: Using Group Policy

Figure 14-1: Create a GPO for a different user by selecting it in the Browse dialog box.
Figure 14-2: You can add several local GPOs to a single console.
Figure 14-3: To delete a local Group Policy object, follow the same steps you used to add it and right-click the object name.
Figure 14-4: The Resultant Set of Policy tools also work with MLGPO.
Figure 14-5: Using the GPMC, you can get an at-a-glance view of the GPOs in your domain.
Figure 14-6: You can now manage much of Internet Explorer using Group Policy.
Figure 14-7: Group Policy operational events are now in the event log.
Figure 14-8: Attachment Manager settings in Group Policy
Figure 14-9: Windows Vista permits administrators to control device installation.
Figure 14-10: You can whitelist specific devices or entire classes of devices.
Figure 14-11: The Windows Vista RDP client can authenticate the server you connect to. Server authentication only works with Windows Vista or higher terminal servers.
Figure 14-12: Windows Vista offers several new configuration options, such as the encryption used for RDP sessions.

Chapter 15: Thinking about Security

Figure 15-1: How many users can make an intelligent security decision based on this dialog box?
Figure 15-2: Or based on this one?
Figure 15-3: Account Lockout settings