Windows Vista Security Configuration and IE7 Browser Tools

1. Configuring Windows Vista Security Chapter 3

2. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block based upon levels High will block all pop-ups Medium blocks a majority of pop-ups Low allowes pop-ups for secure sites Exception list configurable in Settings to allow pop-ups from certain, specified sites

3. IE7 Phishing Filter Helps prevent navigation to unsafe websites Matches a web site against several criteria Checks against local list of legitimate sites Sends a query to the Microsoft URL Reputation Service Check for suspicious content Will warn the user of a suspicious or reported phishing web site Configurable by disabling outright or disabling automatic checking with Microsoft URL Reputation Service

4. IE7 Protected Mode IE7 runs in a restricted mode that reduces level of access to OS components If compatibility issue exists with a web page or app that is legitimate, you can disable Protected Mode. Running with Protected Mode disabled is a security risk.

5. IE7 ActiveX Opt-In & ActiveX Installer Service ActiveX Opt-In will disable ActiveX controls and only enable them when a user responds positive to a prompt to install Does not apply to Intranet and Trusted zones Can be disabled in Security Settings for the security zone ActiveX Installer Service allows only preapproved ActiveX controls to be installed without UAC elevation. Avoids confusion around internal web sites Set via Group Policy

6. IE7 SSL Features Users can now get more information from IE7 about their secure connections Click on the lock to the right in the address bar to see details of the sites certificate

7. Encrypted File System EFS enables encryption of files and folders that is transparent to the user New features of EFS Store keys and recovery keys on a on a smart card Encrypt the page file Updated support for new certificate types and key types New Group Policy options EFS requires certificates assigned to user accounts

8. BitLocker Drive Encryption BitLocker is whole disk encryption Requires one of these options: A Trusted Platform Module A USB flash drive to store encryption keys Also must have: BIOS configured to boot from hard drive first 2 NTFS partitions created before installing Windows Vista System volume be at least 1.5GB and set as active

9. Auditing Security Events 50 new audit policy subcategories that allow auditing to take place in a granular way New audit settings for: Backup and Restore Subcategory settings that override policy category settings Shut down system immediately if unable to log security audits

10. The Security Configuration and Analysis Tool An MMC snap-in that allows a comparison of the local system against a security template Useful when comparing desired group policy settings from a domain against what is occurring on the system

11. User Account Control (UAC) New way to control privileges Keeps accounts privs set low unless needed to prevent security risk Fully configurable Can be controlled from an enterprise level by group policy

12. User Rights Settings Standard User Rights Rights to run the OS and installed applications Typical user Administrative Rights Runs as standard user, but allows the user to enter an administrative mode Admin user with full rights to change settings Admin Approval Mode Admins are prompted to approve actions that require admin rights On by default for admin accounts

13. Configuring UAC Accessed via the Local Security Policy Can turn specific features on or off Can configure behavior of UAC prompts Can be set per user

14. Security Patches and Updates Windows Update applet manages updates from Microsoft for the system Configurable from schedule to automatic installation of updates You can manually apply updates. Manual installation is usually the needed with optional updates You can hide updates if they are unwanted and view available updates that were hidden