You are previewing Least Privilege Security for Windows 7, Vista and XP.
O'Reilly logo
Least Privilege Security for Windows 7, Vista and XP

Book Description

Secure desktops for regulatory compliance and business agility

  • Implement Least Privilege Security in Windows 7, Vista and XP to prevent unwanted system changes

  • Achieve a seamless user experience with the different components and compatibility features of Windows and Active Directory

  • Mitigate the problems and limitations many users may face when running legacy applications

  • Distribute applications, updates and ActiveX Controls to least privilege users with Group Policy, application virtualization and the ActiveX Installer Service

  • Ensure reliable remote access for IT administrators to support users by configuring support features and firecall access

  • In Detail

    Least Privilege Security is the practice of assigning users and programs the minimum permissions required to complete a given task. Implementing this principle in different versions of Microsoft Windows requires careful planning and a good understanding of Windows security. While there are benefits in implementing Least Privilege Security on the desktop, there are many technical challenges that you will face when restricting privileges.

    This book contains detailed step-by-step instructions for implementing Least Privilege Security on the desktop for different versions of Windows and related management technologies. It will provide you with quick solutions for common technical challenges, Microsoft best practice advice, and techniques for managing Least Privilege on the desktop along with details on the impact of Least Privilege Security.

    The book begins by showing you how to apply Least Privilege Security to different categories of users. You will then prepare a desktop image with Least Privilege Security enabled from the start and deploy the new image while preserving users' files and settings. You will identify problems with applications caused by Least Privilege Security using the Application Compatibility Toolkit. This book will help you configure User Account Control on multiple computers using Group Policy and support Least Privilege user accounts using reliable remote access. Then, you will modify legacy applications for Least Privilege Security, achieving the best balance between compatibility and security by using Application Compatibility shims. You will install per-machine ActiveX Controls using the ActiveX Installer Service (AxIS). The book will help you implement best practices for working with ActiveX Controls in a managed environment. Finally, you will deploy default Software Restriction Policy (SRP) or AppLocker rules to ensure only programs installed in protected locations can run and blacklist applications using SRP or AppLocker.

    A practical handbook containing detailed step-by-step instructions for implementing Least Privilege Security on Windows systems

    Table of Contents

    1. Least Privilege Security for Windows 7, Vista and XP
      1. Least Privilege Security for Windows 7, Vista and XP
      2. Credits
      3. About the Author
      4. About the Reviewers
      5. Preface
        1. What this book covers
        2. What you need for this book
        3. Who this book is for
        4. Conventions
        5. Reader feedback
        6. Customer support
          1. Errata
          2. Piracy
          3. Questions
      6. 1. An Overview of Least Privilege Security in Microsoft Windows
        1. What is privilege?
        2. What is Least Privilege Security?
          1. Limiting the damage from accidental errors with Least Privilege Security
          2. Reducing system access to the minimum with Least Privilege Security
        3. Least Privilege Security in Windows
          1. Windows 9.x
          2. Windows NT (New Technology)
          3. Windows 2000
          4. Windows XP
          5. Windows Vista
          6. Windows 7
        4. Advanced Least Privilege Security concepts
          1. Discretionary Access Control
          2. Mandatory Access Control
          3. Mandatory Integrity Control
          4. Role-based Access Control
        5. Least Privilege Security in the real world
        6. Benefits of Least Privilege Security on the desktop
          1. Change and configuration management
          2. Damage limitation
          3. Regulatory compliance
          4. Software licensing
        7. What problems does Least Privilege Security not solve?
        8. Common challenges of Least Privilege Security on the desktop
          1. Application compatibility
          2. System integrity
          3. End user support
        9. Least Privilege and your organization's bottom line
          1. Determining the affect of Least Privilege Security on productivity
          2. Reducing total cost of ownership
          3. Improved security
        10. Summary
      7. 2. Political and Cultural Challenges for Least Privilege Security
        1. Company culture
          1. Defining company culture
          2. Culture shock
          3. Culture case studies
            1. Company A
            2. Company B
        2. Getting support from management
          1. Selling Least Privilege Security
            1. Using key performance indicators
            2. Using key risk indicators
            3. Mapping CSFs to KPIs
            4. Security metrics
            5. Threat modeling
            6. Reducing costs
            7. Security adds business value
          2. Setting an example
        3. User acceptance
          1. Least Privilege Security terminology
          2. Justifying the decision to implement Least Privilege Security
        4. Applying Least Privilege Security throughout the enterprise
          1. Deciding whom to exempt from running with a standard user account
            1. What not to do
        5. Managing expectations
          1. Service catalog
          2. Chargebacks
        6. Maintaining flexibility
        7. User education
        8. Summary
      8. 3. Solving Least Privilege Problems with the Application Compatibility Toolkit
        1. Quick compatibility fixes using the Program Compatibility Wizard
          1. Applying compatibility modes to legacy applications
          2. Program Compatibility Wizard
          3. Program Compatibility Assistant
            1. Disabling the Program Compatibility Assistant
            2. Excluding executables from the Program Compatibility Assistant
        2. Achieving application compatibility in enterprise environments
          1. Compatibility fixes
            1. Modifying applications using shims
            2. Enhancing security using compatibility shims
            3. Deciding whether to use a shim to solve a compatibility problem
              1. Vendor support
              2. In-house applications
              3. Kernel-mode applications
          2. Creating shims for your legacy applications
          3. Solving compatibility problems with shims
            1. LUA compatibility mode fixes in Windows XP
              1. LUARedirectFS
              2. LUARedirectFS_Cleanup
              3. LUARedirectReg
              4. LUARedirectReg_Cleanup
              5. LUATrackFS
            2. Creating your own custom database
            3. Maxthon on Windows XP
            4. Working with other commonly used compatibility fixes
              1. ForceAdminAccess
              2. CorrectFilePaths
              3. VirtualRegistry
                1. ADDREDIRECT
          4. Working with custom databases
            1. Adding new shims to your custom database (merging custom databases)
            2. Temporarily disabling compatibility fixes
            3. Installing a custom database from Compatibility Administrator
            4. Deploying a database to multiple devices
              1. Finding the GUID of custom database
              2. SDBINST command-line switches
              3. Distributing or updating a custom database using Group Policy
        3. Summary
      9. 4. User Account Control
        1. User Account Control components
          1. Elevation prompts
          2. Protected administrator (PA)
          3. Windows Integrity Control and User Interface Privilege Isolation
          4. Application Information Service
          5. Filesystem and registry virtualization
          6. Internet Explorer Protected Mode
        2. The shield icon
        3. User Account Control access token model
          1. Standard user access token
          2. Protected administrator access token
        4. Conveniently elevating to admin privileges
          1. Automatically launching applications with admin privileges
          2. Consent and credential elevation prompts
              1. Consent prompts
              2. Credential prompts
          3. Application-aware elevation prompts
              1. Windows Vista
              2. Publisher verified (signed)
              3. Publisher not verified (unsigned)
              4. Publisher blocked
          4. Administrator accounts
          5. Elevation prompt security
              1. Securing the desktop
              2. Providing extra security with the Secure Attention Sequence (SAS)
          6. Securing elevated applications
            1. Windows Integrity Mechanism
              1. Integrity policies
              2. Assigning integrity levels
            2. User Interface Privilege Isolation
              1. User Interface Privilege Level
              2. UIPI and accessibility
          7. Achieving application compatibility
            1. Application manifest
            2. Power Users
            3. Windows Logo Program
              1. Certification requirements
          8. Filesystem and registry virtualization
            1. Filesystem virtualization
              1. Virtual root directory
            2. Registry virtualization
              1. Virtual root registry
              2. Using Task Manager to determine whether a process is using UAC filesystem and registry virtualization
          9. Windows Installer and User Account Control
            1. Automatically detecting application installers
          10. Controlling User Account Control through Group Policy
            1. Admin Approval Mode for the built-in administrator account
            2. Allowing UIAccess applications to prompt for elevation without using the secure desktop
            3. Behavior of the elevation prompt for administrators in Admin Approval Mode
            4. Behavior of the elevation prompt for standard users
            5. Detect application installations and prompt for elevation
            6. Only elevate executables that are signed and validated
            7. Only elevate UIAccess applications that are installed in secure locations
            8. Run all administrators in Admin Approval Mode
            9. Switch to the secure desktop when prompting for elevation
            10. Virtualize file and registry write failures to per-user locations
          11. What's new in Windows 7 User Account Control
            1. User Account Control slider
            2. Auto-elevation for Windows binaries
              1. Executables
              2. Microsoft Management Console (MMC)
              3. Component Object Model (COM) objects
            3. More settings accessible to standard users
        5. Summary
      10. 5. Tools and Techniques for Solving Least Privilege Security Problems
        1. Granting temporary administrative privileges
          1. Granting temporary administrative access using a separate logon (Vista and Windows 7 only)
            1. Creating three support accounts
            2. Creating a policy setting to automatically delete the support account at logoff
            3. Testing the support accounts
            4. Putting into practice
          2. Granting temporary administrative access without a separate logon
            1. Creating a batch file to elevate the privileges of the logged in user
            2. Testing the procedure
            3. Limitations of the procedure
        2. Bypassing user account control for selected operations
          1. Using Task Scheduler to run commands with elevated privileges
            1. Running the Scheduled Task as a standard user
        3. Configuring applications to run with elevated privileges on-the-fly
        4. Solving LUA problems with Avecto Privilege Guard
          1. Defining application groups
          2. Defining access tokens
          3. Configuring messages
          4. Defining policies
          5. Solving LUA problems with Privilege Manager
            1. Defining Privilege Manager rules
              1. Assigning permissions
              2. Adding or removing individual privileges
              3. Specifying integrity levels
        5. Suppressing unwanted User Account Control prompts
          1. Modifying application manifest files
            1. Editing manifests using Resource Tuner
            2. Modifying manifests using the RunAsInvoker shim
        6. Setting permissions on files and registry keys
          1. Identifying problems using Process Monitor
          2. Modifying permissions on registry keys and files with Group Policy
        7. Fixing problems with the HKey Classes Root registry hive
          1. Using Registry Editor to copy keys from HKCR to HKCU
        8. Mapping .ini files to the registry
        9. Using LUA Buglight to identify file and registry access violations
        10. Summary
      11. 6. Software Distribution using Group Policy
        1. Installing software using Group Policy
          1. Installing software using Windows Installer
          2. Deploying software using Group Policy
          3. Comparing Group Policy Software Installation with system images for software distribution
            1. Choosing between thin and fat images
          4. Preparing applications for deployment
            1. Extracting .msi files from setup packages
              1. Using WinRAR or 7-Zip to extract .msi files
            2. Using command-line switches for silent installs and customization
            3. Deploying system changes using Group Policy startup scripts
            4. Creating an .msi wrapper
            5. Repackaging an application with a legacy installer
              1. Installing AdminStudio
              2. Configuring AdminStudio's Repackager to run on a remote machine
              3. Installing the remote repackager
              4. Monitoring a legacy installation routine
          5. Customizing an installation package
            1. Customizing Acrobat Reader's MSI installer using Adobe Customization Wizard 9
          6. Using the Distributed File System with GPSI
            1. Creating a DFS namespace
            2. Adding a folder to the namespace
          7. Deploying software using GPSI
            1. Configuring software installation settings
            2. Targeting devices using WMI filters and security groups
              1. Active Directory security groups
                1. Creating a security group to filter a GPO
              2. Windows Management Instrumentation filtering
          8. Upgrading software with GPSI
          9. Uninstalling software with GPSI
            1. Removing software when it falls out of scope of management
            2. Removing .msi packages from Group Policy Objects
        2. Summary
      12. 7. Managing Internet Explorer Add-ons
        1. ActiveX controls
          1. Per-user ActiveX controls
            1. Changing the installation scope to per-user
          2. Best practices
          3. Deploying commonly used ActiveX controls
            1. Deploying Adobe Flash and Shockwave Player
            2. Deploying Microsoft Silverlight
          4. ActiveX Installer Service
            1. Enabling the ActiveX Installer Service
              1. Using the GUI to install the ActiveX Installer Service
              2. Using the command line to install the ActiveX Installer Service
            2. Determining the ActiveX control host URL in Windows 7
            3. Determining the ActiveX control host URL in Windows Vista
            4. Configuring the ActiveX Installer Service with Group Policy
            5. Testing the ActiveX Installer Service
        2. Managing add-ons
          1. Administrator approved controls
            1. Determining the Class Identifier CLSID of an installed ActiveX control
            2. Adding ActiveX controls to the Add-on List
        3. Summary
      13. 8. Supporting Users Running with Least Privilege
        1. Providing support
          1. Preparing to support least privilege
        2. Troubleshooting using remote access
          1. Troubleshooting for notebook users
            1. The notebook challenge
            2. Having the right tools in place
            3. Notebook users who seldom visit the office
            4. Setting out IT policy
            5. Other functions the help desk might require
            6. The last resort: An administrative backdoor for notebooks
        3. Enabling and using command-line remote access tools
          1. WS-Management
            1. Configuring WS-Management with Group Policy
            2. Connecting to remote machines using WS-Management
              1. Running standard Windows commands as an administrator on remote computers
              2. Enumerating information using Windows Management Instrumentation
              3. Performing actions on remote computers as an administrator using WMI methods
              4. Connecting to WS-Management 1.1 from Windows Server 2008 R2
              5. Working with WS-Management security
          2. Automating administration tasks using PowerShell Remoting
        4. Enabling and using graphical remote access tools
          1. Enabling Remote Assistance
            1. Different types of Remote Assistance
            2. Enabling Remote Assistance via Group Policy
            3. Offering a computer unsolicited Remote Assistance: DCOM
            4. Sending Remote Assistance invitations
            5. Initiating Remote Assistance from the command line
            6. Connecting to remote PCs using Easy Connect
              1. Enabling Remote Assistance with Network Address Translation
          2. Remote Desktop
          3. Connecting to a remote computer using the Microsoft Management Console (MMC)
        5. Configuring Windows Firewall to allow remote access
          1. Creating a GPO for Windows Firewall in Windows 7
            1. Importing Windows 7 Firewall rules to a GPO
            2. Modifying the default Windows Firewall rules
            3. Adding additional inbound exceptions for remote administration
            4. Creating a WMI filter to restrict the scope of management to Windows 7
            5. Linking the new GPO to the Client OU
            6. Checking the GPO applies to Windows 7
          2. Creating a GPO for Windows Firewall in Vista
            1. Enabling the Remote Assistance and Remote Administration inbound exceptions for the Domain profile
            2. Creating a WMI query for Windows Vista
          3. Creating a GPO for Windows Firewall in Windows XP
            1. Configuring GPO settings
            2. Creating an exception for WS-Management
            3. Creating an exception for Remote Desktop
            4. Creating an exception for Remote Administration
            5. Creating an exception for Remote Assistance
            6. Creating a WMI filter to restrict the scope of management to Windows XP
            7. Linking the new GPO to the Client OU
        6. Summary
      14. 9. Deploying Software Restriction Policies and AppLocker
        1. Controlling applications
          1. Blocking portable applications
          2. Securing Group Policy
            1. Preventing users from circumventing Group Policy
        2. Implementing Software Restriction Policy
          1. Creating a whitelist with Software Restriction Policy
            1. Defining hash rules
            2. Defining path rules
            3. Trusting software signed by a preferred publisher (Certificate Rules)
            4. Making exceptions for IE zones (Network/Internet Zone Rule)
          2. Creating a whitelist with Software Restriction Policy
          3. Configuring applications to run as a standard user
        3. AppLocker
          1. Automatically generating AppLocker rules
          2. Manually creating an AppLocker rule to blacklist an application
          3. Importing and exporting AppLocker rules
        4. Summary
      15. 10. Least Privilege in Windows XP
        1. Installing Windows XP using the Microsoft Deployment Toolkit
          1. Providing a Volume License product key for an MDT XP Task Sequence
        2. Windows XP security model
          1. Power users
          2. Network Configuration Operators
          3. Support_<1234>
          4. User rights
            1. Modifying logon rights and privileges
              1. Logon rights
              2. Privileges
        3. CD burning
          1. Third-party CD/DVD burning software
            1. Nero Burning ROM
              1. Installing Nero BurnRights
              2. Configuring Nero BurnRights from the command line
            2. Allowing non-administrative users to burn discs in CDBurnerXP
          2. Additional security settings
            1. Restricting access to removable media
        4. ActiveX controls
          1. Flash Player
          2. Acrobat Reader
          3. Silverlight
          4. Other popular ActiveX controls
            1. RealPlayer
            2. QuickTime
            3. Sun Java Runtime Environment
            4. Alternatives to QuickTime and RealPlayer
        5. Changing the system time and time zone
          1. Changing the system time
          2. Changing the time zone
            1. Setting time zone registry permissions using a GPO
        6. Power management
          1. Managing power settings with Group Policy Preferences
            1. Creating a GPO startup script to install GPP CSEs
            2. Configuring power options using Group Policy Preferences
          2. Configuring the registry for access to power settings
        7. Managing network configuration
          1. Configuring Restricted Groups
        8. Identifying LUA problems using Standard User Analyzer
        9. Summary
      16. 11. Preparing Vista and Windows 7 for Least Privilege Security
        1. The Application Compatibility Toolkit
          1. Application Compatibility Manager
          2. Installing and configuring ACT
        2. Creating a Data Collection Package
          1. Analyzing data collected by ACT
              1. The application attempted to store a file in a restricted location
              2. The application attempted to store a file in a system location that was virtualized by Windows Vista
              3. The application attempted to open a restricted registry key and write to a restricted registry location
              4. The application attempted to store information under the HKEY_LOCAL_MACHINE\SOFTWARE registry hive
        3. Printers and Least Privilege Security
          1. Installing printers using Group Policy Preferences
          2. Installing printers using Windows Server 2003 Print Management and Group Policy
          3. Installing printers using a script
        4. Logon scripts
          1. Synchronizing the system time
          2. Updating antivirus definitions
          3. Changing protected system configuration
          4. Mapping network drives and printers
          5. Creating desktop shortcuts
        5. Why do a desktop refresh from a technical perspective?
        6. Different methods of reinstalling Windows
          1. Manual, non-destructive install
          2. Automated install
        7. Reinstall Vista or Windows 7 with Least Privilege Security
          1. Installing the Microsoft Deployment Toolkit
          2. Creating a deployment share
          3. Adding an operating system image
          4. Adding core packages to our Lite Touch installation
              1. Creating a Lite Touch task sequence
          5. Updating our deployment share
          6. Preserving default local group membership
          7. Refreshing our OS with the Windows Deployment Wizard
        8. Summary
      17. 12. Provisioning Applications on Secure Desktops with Remote Desktop Services
        1. Introducing Remote Desktop Services
          1. Installing Remote Desktop Session Host and Licensing roles
          2. Controlling access to the Remote Desktop Server
          3. Installing the Remote Desktop Gateway
            1. Creating Connection (CAP) and Resource (RAP) Authorization Policies
            2. Installing the RD Gateway SSL Certificate in Windows 7
            3. Connecting to a Remote Desktop Server via an RD Gateway from Windows 7
          4. Installing applications on Remote Desktop Servers
            1. Publishing applications using Remote Desktop Services
              1. Adding applications to the RemoteApp Manager
          5. Managing Remote Desktop Services licenses
            1. Understanding Remote Desktop Licensing
            2. Revoking Per Device Remote Desktop Services Client Access Licences
            3. Tracking Per User Remote Desktop Services Client Access Licences
          6. Installing Remote Desktop Web Access
            1. Configuring RSS for advertising RemoteApps in Windows 7
          7. Understanding Remote Desktop and Virtual Desktop Infrastructures
          8. Scaling with Remote Desktop Services
        2. Summary
      18. 13. Balancing Flexibility and Security with Application Virtualization
        1. Microsoft Application Virtualization 4.5 SP1 for Windows desktops
          1. Isolating applications with SystemGuard
            1. Deploying App-V
              1. Deploying App-V using the standalone model
              2. Deploying App-V using the streaming model
              3. Deploying App-V using the full infrastructure
          2. Creating a self-service system with App-V for standard users
            1. Enforcing security descriptors
            2. Emulating Application Programming Interface (API)
            3. Solving App-V compatibility problems with shims
          3. Sequencing an application for App-V
            1. Installing the sequencer
            2. Installing the client
          4. Streaming applications with an App-V Server
            1. Installing Microsoft System Center Application Virtualization Streaming Server
          5. Deploying and managing applications for users who never connect to the corporate intranet
          6. Updating applications and Differential Streaming
            1. Active Update
            2. Override URL
        2. VMware ThinApp
        3. Summary
      19. 14. Deploying XP Mode VMs with MED-V
        1. Solving least privilege security problems using virtual machines
          1. Virtual PC and Windows 7 XP Mode
            1. Differentiating between App-V and XP Mode
            2. Setting up Windows 7 XP Mode
            3. Launching applications installed in XP Mode from the Windows 7 Start menu
            4. Security concerns when running XP Mode
        2. Microsoft Enterprise Desktop Virtualization (MED-V)
          1. Installing MED-V 1.0 SP1
            1. Installing the Image Repository
            2. Installing the MED-V Server component
            3. Installing the MED-V Management Console
          2. Preparing a virtual machine for use with MED-V
          3. Working with the MED-V Management Console
            1. Importing a VM for testing
            2. Creating a usage policy
            3. Testing the workspace and usage policy
            4. Packing the VM for use with the MED-V Server
            5. Uploading the VM image to the MED-V Server
            6. Testing the uploaded VM image
        3. Summary