Administering Windows Vista Security: The Big Surprises

An Inside Look at Windows Vista Security for Systems Administrators Get an early start on Windows Vista security and the technology shifts you'll need to know as a systems administrator. From leading Windows expert Mark Minasi comes this "just-in-time" book to get you there. This targeted, hands-on guide takes a rapid-fire approach to the biggest security changes and how they'll affect business as usual for those who must integrate and provide technical support for Windows Vista. You'll find practical instruction, tips, workarounds, and much more. Work through a slew of Vista surprises, such as logging on as Administrator and how to re-enable Run Discover how virtualization works--and where it doesn't Find out why you can no longer delete files in System32, even though you are an Administrator Get familiar with new post-boot security features such as PatchGuard Protect laptops to the max with the innovative BitLocker feature Meet the new Windows Integrity mechanism Explore the revamped Event Viewer, event forwarding, and new troubleshooting tools Go above and beyond what you've heard about Vista Discover the changes to Share and Registry Access Catch up on all the encryption news and services Try out Vista Remote Desktop with its enhanced security About the Series The Mark Minasi Windows Administrator Library equips system administrators with in-depth technical solutions to the many challenges associated with administering Windows in an enterprise setting. Series editor Mark Minasi, a leading Windows expert, not only selects the topics and authors, he also develops each book to meet the specific needs and goals of systems administrators, MIS professionals, help-desk personnel, and corporate programmers.

Table of Contents:
Introduction. Chapter 1 Administering Vista Security: The Little Surprises. Restoring the Administrator. Making Your Own Administrator. Activating the Administrator Account. Power Users Are Essentially Gone. "Run..." Is Off the Start Menu. BOOT.INI Is Gone, BCD Is Here. boot.ini Review. BCD Terminology. Creating a Second OS Entry. Understanding Vista Boot Manager Identifiers. Choosing Timeout and Default OS with bcdedit. Changing an Entry Option. Cleaning Up: Deleting OS Entries. "Documents and Settings" Is Gone, Kind Of. IPv6 and Network Properties. Remote Desktop Gets a Bit More Secure. NTFS and the Registry Are Transaction Based. Undelete Comes to Windows for Real! Changes in Security Options. Changes to Named Pipe Access. Changes to Share and Registry Access. LM Deemphasized, NTLMv2 Emphasized. No More Unsigned Driver Warnings. Encryption News. Vista Includes New Cryptographic Services. You Can Encrypt Your Pagefile. Offline Files Folders Are Encrypted per User. New Event Viewer. XML Format Comes to Event Viewer. Custom Queries Lets You Customize Event Viewer. Generating Actions from Events. Telling the Event Log Service to Display Messages. Forwarding Events from One Computer to Another. Subscription Overview. Creating an Example Subscription. Troubleshooting Subscription Delays. Event Forwarding in Workgroups. Chapter 2 Understanding User Account Control (UAC): "Are You Sure, Mr. Administrator?" Introducing UAC. Why UAC Is Good, after All. UAC Benefits for Users. UAC Benefits for Admins. UAC as a Transition Tool. An Overview of UAC. Digging Deeper into UAC. How Windows Creates the Standard User Token. How to Tell UAC to Use the Administrator Token. What Tells Windows to Use the Administrator Token. Reconfiguring User Account Control. Turning UAC On, Off, or in Overdrive. Configuring UAC Junior: UAC for the User. Side Point: How "Administrator-ish" Must You Be to Get UACed? Excluding the Built-in Administrator. Telling UAC to Skip the Heuristics. Controlling Secure Desktop. Sign or Go Home: Requiring Signed Applications. Working around Apps That Store Data in the Wrong Places. The Big Switch: Turning Off UAC Altogether. Will UAC Succeed? Summary. Chapter 3 Help for Those Lame Apps: File and Registry Virtualization. File and Registry Virtualization Basics. Seeing File Virtualization in Action. File and Registry Virtualization Considerations. Which Areas Are Protected and Where They Are Virtualized. How Virtualization Handles Files. How Virtualization Handles the Registry. What Does "Legacy" Mean, Exactly? Seeing Virtualization in Standard Versus Administrative Users. Tracking Virtualization. A Possible Virtualization Problem. Controlling Virtualization. The Future of Virtualization. Summary. 4 Understanding Windows Integrity Control. Windows Integrity Control Overview. Mandatory Controls Versus Discretionary Controls. The Orange Book. C2 Certification and NT. C and B: Discretionary Versus Mandatory. WIC Components. WIC's Six Integrity Levels. How Objects Get and Store Integrity Levels: Mandatory Labels. Process Integrity Levels. Seeing Processes in Action. Setting Up. Example: Starting a Low Integrity Application. Internet Explorer Protected Mode and WIC. A Prime Directive Puzzle: WIC and Deletes. Using WIC ACEs to Restrict Access. Things WIC ACEs Can't Do. You Cannot Apply Mandatory Labels with Group Policy. You Cannot Create Standard Permissions That Name Mandatory Labels. A Note on Modifying System Files. Dialing Up Custom Labels. Meet SDDL Strings. Understanding the Secret Language of Bs: SDDL Label Syntax. Using SDDL Strings to Set Integrity Levels. Summary. Chapter 5 BitLocker: Solving the Laptop Security Problem. The Laptop Security Problem Today. BitLocker Drive Encryption-The Overview. BitLocker Components. What Is a TPM? Full Disk Encryption. Encryption Algorithm. Key Storage. Authentication or Access Control. Increasing Security with Additional Key Protectors. Boot Process Validation (Integrity Check). Enabling BitLocker for the First Time. Using BitLocker without a TPM. Summary of Key Protectors. Recovery. Recovery Example 1: Desktop Hardware Failure (Stand-alone System without a TPM). Recovery Example 2: Laptop Hardware Failure (TPM-based). Recovery Example 3: Lost USB Key (Computer with a TPM). Recovery Example 4: "Found" Laptop. Recovery Summary. BitLocker and Active Directory. Group Policy Options. Managing the TPM and BitLocker in the Enterprise. Servicing a BitLocker-Protected Computer. Secure Decommissioning. Planning for BitLocker Deployment. Summary. Chapter 6 Post-Boot Protection: Code Integrity, New Code Signing Rules, and PatchGuard. Address Space Layout Randomization. Giving 64-bit More Armor. PatchGuard. Code Integrity. What Can Go Wrong? New Code Signing Rules. What Is Code Signing and Why Does It Matter? ActiveX Controls. Protected Media Path Requirements. Requirements. Getting Down to Business: Code Signing an Application or Driver. Getting Down to Business: Deploying an Application or Driver Signed by a Publisher. Summary. Chapter 7 How Vista Secures Services. Services in Brief. Service Control Manager. How Vista Toughens Services: Overview. Session Separation. Reducing Service Privileges. Developers Can Reduce Service Privileges. Admins Can Also Reduce Service Privileges. Special Case: Multiple Services Needing Different Privileges. Reduced Privilege Summary. Service Isolation. How Service Isolation Works. Restricting a Service's SID. Granting Write Permissions to a Service SID. Understanding the sc.exe. Restricted SID Commands. Restricting a Service's Network Ports. Summary. Index.