Windows 7. Qing Liu Qing.Liu@chi.frb.org Michael Stevens Michael.Stevens@chi.frb.org

Windows 7 Qing Liu Qing.Liu@chi.frb.org Michael Stevens Michael.Stevens@chi.frb.org 1

Overview 1. Financial Institution s Preliminary Steps 2. User Interface 3. Data Protection 4. User and Group Changes 5. Kernel Changes 6. Audit changes 7. New and Changed Security Options 2

Section 1: Financial Institution s Preliminary Steps 3

Learning Objectives In this module you will learn: Preliminary Steps on migration How to determine if a PC is Windows 7 ready What features the various versions of Windows 7 provide to the FI. 4

To Migrate or Not to Migrate? Plan now Start migration before 2012 Windows XP expires in 2014 5

Preliminary Migration Steps Planning and rollout Hardware upgrades Application compatibility evaluation New applications Office 2007 consideration Training 6

Hardware Requirements 32-bit Processor 1 GHz 1 GHz Processor Type 32bit x86 or better, such as 64 bit 64 bit RAM 1 GB 2 GB Hard Disk Space 16 GB 20 GB Graphics DirectX 9 device with WDDM 1.0+ driver 64-bit DirectX 9 device with WDDM 1.0+ driver Note: The 64-bit edition of Windows offers better performance, but has additional system requirements (notably a 64-bit processor), needs different hardware drivers, and thus requires additional testing for hardware and software compatibility. 7

Windows 7 Versions Feature Home Premium Professional Ultimate Make the things you do every day easier with improved desktop navigation. Start programs faster and more easily, and quickly find the documents you use most often. Make your web experience faster, easier and safer than ever with Internet Explorer 8. Run many Windows XP productivity programs in Windows XP Mode. Help protect data on your PC and portable storage devices against loss or theft with BitLocker. 8

Windows 7 Enterprise Direct Access ( Security) BranchCache Federated Search BitLocker and BitLocker-to-Go (Security) AppLocker (Security) Virtual desktop infrastructure (VDI) optimizations Multilingual user interface 9

Windows 7 Readiness Download Windows 7 Upgrade Advisor Run Hardware / software compatibility report Windows 7 Upgrade Advisor link http://windows.microsoft.com/enus/windows/downloads/upgrade-advisor http://www.microsoft.com/windows/windows-7/get/upgradeadvisor.aspx 10

Section 2: User Interface 11

Learning Objectives In this module you will: Describe Windows 7 s Graphical User Interface options List new features Become familiar with Windows XP Mode integrated virtualization 12

Changes to Windows Aero New taskbar: right-click applications to see new tasks 13

Changes to Windows Aero Taskbar Thumbnails: Quickly preview the content of each open window, not merely the name 14

Changes to Windows Aero Aero Peek: hover over lower-right corner of screen to reveal desktop temporarily 15

Live Icons 16

Flip 3D 17

Getting Started 18

Start Menu and Search Many elements of Windows 7 incorporate new search capabilities. Search box Libraries Ability to Save Searches 19

Demo Search 20

Libraries 21

Gadgets Gadgets mounted to the Desktop Gadget selection window 22

How about old applications running on XP? 23

XP Mode Processor: Processor capable of hardware virtualization, with AMD-V or Intel VT turned on in the BIOS. Memory: 2GB of memory recommended. Hard disk requirement: 20MB hard disk space for installing Windows Virtual PC. Additional 15GB of hard disk space per virtual Windows environment recommended.

Section 3: Data Protection 25

Learning Objectives In this module you will learn: The current threats Authentication and encryption features Trusted Platform Module Rights Management Service Encrypted Files System BitLocker / BitLocker to go 26

Current Threats Threats to data Password recovery programs are widely available that enable offline attacks Offline attacks expose core system keys that allow for the compromise of secured data Hundreds of thousands of laptops are lost every year Software Based Security 27

Trusted Platform Module (TPM) Module on the motherboard Performs cryptographic functions Can create, store and manage keys Performs digital signature operations Source: http://www.trustedcomputinggroup.org 28

Multi-Factor Authentication Three authentication factors: Factor Something you have Something you know Something you are Example USBToken, or TPM chip Password Fingerprint SINGLE-FACTOR: MULTI-FACTOR: Something you have (TPM chip) Something you have (TPM chip) Something you have (TPM chip and token) Something you know (password) ******* 29

Three Windows 7 Applications RMS, EFS, and BitLocker Three levels of protection: Rights Management Services (RMS) Per-document enforcement of policy-based rights Encrypting File Systems (EFS) Per file or folder encryption of data for confidentiality BitLocker Full Volume Encryption Per volume encryption (see earlier) 30

Rights Management Services (RMS) Rights Management Services embeds usage policies in documents to control their use Protecting confidential e-mail messages Enforcing document rights Distributing media content RMS components RMS-enabled application Client SW Server SW 31

Encrypting File System (EFS) Only files and folders on NTFS volumes can be encrypted. Encrypted files can become decrypted if you copy or move the file to a volume that is not an NTFS volume. Moving unencrypted files into an encrypted folder will automatically encrypt those files in the new folder. However, the reverse operation will not automatically decrypt files. Files must be explicitly decrypted. 32

Encrypting File System (EFS) 33

BitLocker & BitLocker To Go 34

Video Bitlocker 35

Who are you protecting against? Other users or administrators on the machine? EFS Unauthorized users with physical access? BitLocker Scenarios BitLocker EFS RMS Laptops Branch office server Local single-user file & folder protection Local multi-user file & folder protection Remote file & folder protection Untrusted network admin Remote document policy enforcement 37

Section 4: User and Group Changes 38

Learning Objectives In this module you will learn: Add a new user More new groups available User Account Control to mitigates risk 39

New Users 40

New Groups 41

User Account Control User provides explicit consent before using elevated privilege. 42

User Account Control Setup 43

Changes to UAC in Windows 7 Four levels of notification for UAC in Windows 7: Most Secure Always Notify Me Displays all prompts Prompts dim screen Default for standard users Notify Me Only When Programs Try to Make Changes to My Computer (default) Display only prompts from applications Prompts dim screen Default for administrators Do not Dim Desktop Displays only prompts from applications No screen dimming Not default Least secure Never Notify Me Displays no prompts No screen dimming Not default 44

ACL 45

Section 5: Kernel Changes 46

Learning Objectives In this module you will learn: New security features via Windows 7 kernel improvement 47

Security Enhancements User Account Control level Virtual Accounts BitLocker and BitLocker-to-go 48

Virtual Accounts Want better isolation than existing service account Don t want to manage passwords Virtual accounts are like service accounts Process runs with virtual SID as principal System-managed password Show up as computer account when accessing network Services can specify a virtual account Account name must be NT SERVICE\<service> Service control manager verifies the service account and creates a user profile for the account 49

Section 6: Audit Changes 50

Learning Objective In this module you will learn: How Windows 7 has improved upon auditing capabilities. 51

Improved Auditing More Granularity Support for many auditing subcategories: Logon, logoff, file system access, registry access, use of administrative privilege Previous versions of Windows only support high-level categories such as System, Logon/Logoff, and Object Access, with little granularity New Logging Infrastructure Easier to filter out noise in logs and find the event you re looking for Tasks tied to events: When an event occurs, such as administrative privilege use, tasks such as sending an Email to an auditor can run automatically 52

Granular Audit Policy 53

Added Auditing For Registry value change audit events (old + new values) AD change audit events (old + new values) Improved operation-based audit Audit events for UAC Improved IPSec audit events including support for AuthIP RPC Call audit events Share Access audit events Share Management events Cryptographic function audit events IAS (RADIUS) audit events (server only) 54

Section 6: New and Changed Security Options 55

Learning Objectives In this module you will learn following features: Windows Biometric Framework AppLocker DirectAccess Windows Firewall Windows Security Essential Internet Explorer 8 56

AppLocker 58

DirectAccess 59

Windows 7 Firewall Both inbound and outbound Authentication and authorization aware Outbound applicationaware filtering is now possible Includes IPSec management Policy-based administration 60

Multiple Active Firewall Profiles New feature in Windows 7 Previously, Windows Firewall rules applied over all network connections (wired, wireless, VPN, hotspot, home, etc.) Now, can have different firewall rules for three classes of connections. Win7 Firewall Profile Domain Private Public Connection Most secure Least secure Firewall policies Least restrictive Most restrictive Example VPN Home wireless network All non-domain connections, by default 61

Microsoft Security Essentials Free anti-virus/spyware/malware tool from Microsoft designed for home PCs Not included in Windows 7 installation; needs to be downloaded separately from Microsoft No central management capabilities unlike Windows Defender not ideal solution for large organizations 62

Security Essentials Scanning Modes Real-Time Protection Warns users when potential spyware is executed or tries to perform certain operations 63

MS vs Other Brand Name Vendors

Security Essentials Scanning Modes Scheduled & On-Demand Scans Quick: scans only system files likely to be targeted by malware and viruses or likely culprits such as processes currently running and files currently open on the machine Full: scans all files, much longer process 66

Internet Explorer 8 Secure Features SmartScreen Domain Highlighting InPrivate Browsing Cross Site Scripting Filter 67

SmartScreen and SmartScreen Filter 68

SmartScreen Filter 69

Domain Highlighting The Microsoft domain is easy to read. 70

Cross Site Scripting Filtering Internet Explorer 8 detects potential cross-site scripting Vulnerabilities and disables harmful scripts. 71

InPrivate Browsing 72

Click-jacking prevention Data Execution Prevention (DEP) InPrivate Filtering Automatic crash recovery

Windows 7 Conclusion Many features already exist in other operating systems. Incorporates most major security changes introduced in Windows 7. UAC password requirements seen as less annoying in Windows 7 due to more customization and better software design. Improved security by additional features and options. 74

Questions? 75

References Windows 7: Evolved for the modern enterprise https://www.microsoft.com/windows/enterprise/products/windows- 7/default.aspx Understanding and Configuring User Account Control http://www.microsoft.com/technet/windowsvista/evaluate/feat/uaprot.mspx 76

References Windows 7 Windows 7 on Microsoft TechNet (for IT Pros) http://technet.microsoft.com/enus/windows/dd361745.aspx?itpid=mscomsc Windows 7 UAC http://go.microsoft.com/fwlink/?linkid=139554 Microsoft Security Essentials http://www.microsoft.com/security_essentials/ 77