Chapter 4Chapter 4

Hacking Windows Hacking Windows

Last modified: 2-5-09

Reasons for Windows Security Reasons for Windows Security ProblemsProblems

Popularity & ComplexityPopularity & Complexity

Backward CompatibilityBackward Compatibility– Very important at businessesVery important at businesses– Enabled by defaultEnabled by default– Causes many security problemsCauses many security problems

Proliferation of featuresProliferation of features

Windows is ImprovingWindows is Improving

Windows XP SP2 was a giant Windows XP SP2 was a giant improvement in securityimprovement in security– Windows FirewallWindows Firewall– Data Execution PreventionData Execution Prevention

Vista is even more secureVista is even more secure– User Account ControlUser Account Control– BitLocker Drive EncryptionBitLocker Drive Encryption

Unauthenticated AttacksUnauthenticated Attacks

Four VectorsFour Vectors

Authentication SpoofingAuthentication Spoofing

Network ServicesNetwork Services

Client VulnerabilitiesClient Vulnerabilities

Device DriversDevice Drivers

Authentication Spoofing Authentication Spoofing AttacksAttacks

Services to AttackServices to Attack

Server Message Block (SMB)Server Message Block (SMB)– TCP ports 445 and 139TCP ports 445 and 139

Microsoft Remote Procedure Call (MSRPC)Microsoft Remote Procedure Call (MSRPC)– TCP port 135TCP port 135

Terminal ServicesTerminal Services– TCP port 3389TCP port 3389

SQLSQL– TCP 1443 and UDP 1434TCP 1443 and UDP 1434

SharePoint and other Web servicesSharePoint and other Web services– TCP 80 and 443TCP 80 and 443

Password Guessing from the Password Guessing from the Command LineCommand Line

Accounts may lock out after too many Accounts may lock out after too many guessesguesses

A Password Guessing ScriptA Password Guessing Script

Put password – user Put password – user name pairs in a file name pairs in a file named credentials.txtnamed credentials.txt

Tools: enum, Brutus, TSGrinder, many Tools: enum, Brutus, TSGrinder, many more more – Link Ch 4a1Link Ch 4a1

Password-Guessing Password-Guessing Countermeasures Countermeasures

Use a network firewall to restrict access to SMB services Use a network firewall to restrict access to SMB services on TCP 139 and 445on TCP 139 and 445Use host-resident features of Windows to restrict access Use host-resident features of Windows to restrict access to SMBto SMB– IPSec filters (Restricts by source IP – link Ch4b)IPSec filters (Restricts by source IP – link Ch4b)– Windows FirewallWindows Firewall

Disable SMB services (on TCP 139 and 445)Disable SMB services (on TCP 139 and 445)Enforce the use of strong passwords using policyEnforce the use of strong passwords using policySet an account-lockout threshold and ensure that it Set an account-lockout threshold and ensure that it applies to the built-in Administrator accountapplies to the built-in Administrator accountEnable audit account logon failures and regularly review Enable audit account logon failures and regularly review Event LogsEvent Logs

Security PolicySecurity Policy

SECPOL.MSC at a Command PromptSECPOL.MSC at a Command Prompt

Audit PolicyAudit Policy

Use a log analysis tool to check the logsUse a log analysis tool to check the logs

For even better security, use Intrusion For even better security, use Intrusion Detection/Intrusion Prevention softwareDetection/Intrusion Prevention software

Eavesdropping on Network Eavesdropping on Network Password Exchange Password Exchange

You can sniff password challenge-You can sniff password challenge-response hashes with Cainresponse hashes with Cain

Use NTLM, not LMUse NTLM, not LM

The old LM Hashes are easily crackedThe old LM Hashes are easily cracked

The newer NTLM hashes are harder to The newer NTLM hashes are harder to crack, although they can be broken by crack, although they can be broken by dictionary attacksdictionary attacks

Elcomsoft has a new tool that cracks Elcomsoft has a new tool that cracks NTLM hashes by brute force, clustering NTLM hashes by brute force, clustering many computers togethermany computers together– See link Ch 4fSee link Ch 4f

Man In The Middle AttacksMan In The Middle Attacks

SMBRelay and SMBProxy pass SMBRelay and SMBProxy pass authentication hashes along get authentication hashes along get authenticated access to the server, on authenticated access to the server, on Windows versions before XPWindows versions before XP

MITM Attack on Terminal MITM Attack on Terminal ServerServer

Cain can sniff Remote Desktop sessions Cain can sniff Remote Desktop sessions unencrypted and get administrative unencrypted and get administrative credentialscredentials– For Windows XP and Windows Server 2003For Windows XP and Windows Server 2003– Because Microsoft made a private key public Because Microsoft made a private key public

(link Ch 4f1)(link Ch 4f1)

Microsoft Remote Procedure Call Microsoft Remote Procedure Call (MSRPC) vulnerabilities (MSRPC) vulnerabilities

The MSRPC port mapper is advertised on The MSRPC port mapper is advertised on TCP and UDP 135 by Windows systemsTCP and UDP 135 by Windows systems– It cannot be disabled without drastically It cannot be disabled without drastically

affecting the core functionality of the operating affecting the core functionality of the operating systemsystem

MSRPC interfaces are also available via MSRPC interfaces are also available via other ports, including TCP/UDP 139, 445 other ports, including TCP/UDP 139, 445 or 593, and can also be configured to or 593, and can also be configured to listen over a custom HTTP port via IIS or listen over a custom HTTP port via IIS or COM Internet Services COM Internet Services

MITM Countermeasures MITM Countermeasures

Attacker usually has to be on your LANAttacker usually has to be on your LAN

Use authenticated and encrypted Use authenticated and encrypted protocols protocols

Enforce them with Group Policy and Enforce them with Group Policy and firewall rulesfirewall rules

Remote Unauthenticated Remote Unauthenticated ExploitsExploits

MetasploitMetasploitEasily exploits network servicesEasily exploits network servicesTypically a couple of months behind Microsoft alertsTypically a couple of months behind Microsoft alertsCORE IMPACT and Canvas are expensive, but CORE IMPACT and Canvas are expensive, but better (Link Ch 4f2)better (Link Ch 4f2)

Network Service Exploit Network Service Exploit Countermeasures Countermeasures

Apply patches quicklyApply patches quickly

Use workarounds for unpatched Use workarounds for unpatched vulnerabilitiesvulnerabilities

Log and monitor trafficLog and monitor traffic

Have an incident response planHave an incident response plan

End-user Application ExploitsEnd-user Application Exploits

Often the weakest link, especially on Vista, Often the weakest link, especially on Vista, because the OS itself is more securebecause the OS itself is more secure

CountermeasuresCountermeasures– Use a firewall to limit outbound connectionsUse a firewall to limit outbound connections– PatchesPatches– AntivirusAntivirus– Run with least privilegeRun with least privilege– Use software security options, such as Use software security options, such as

plaintext email and IE Security Zonesplaintext email and IE Security Zones

Device Driver ExploitsDevice Driver Exploits

There are buffer overflows in wireless device driversThere are buffer overflows in wireless device drivers

It is possible to 0wn every vulnerable machine in range It is possible to 0wn every vulnerable machine in range just with a beacon frame--no connection requiredjust with a beacon frame--no connection required– Link Ch 4z18Link Ch 4z18

Driver Exploit CountermeasuresDriver Exploit Countermeasures

Apply vendor patchesApply vendor patches

Disable wireless networking in high-risk Disable wireless networking in high-risk environmentsenvironments

Using Microsoft Logo-tested drivers Using Microsoft Logo-tested drivers MIGHT make you safer…MIGHT make you safer…– But does Microsoft really thoroughly test But does Microsoft really thoroughly test

drivers, with fuzzers?drivers, with fuzzers?– Fuzzing for 5 seconds was enough for Cache Fuzzing for 5 seconds was enough for Cache

et al. to find a vulnerabilityet al. to find a vulnerability

Authenticated AttacksAuthenticated Attacks

Privilege Escalation Privilege Escalation

Once a user can log on to a Windows Once a user can log on to a Windows machine as a Guest or Limited User, the machine as a Guest or Limited User, the next goal is to escalate privileges to next goal is to escalate privileges to Administrator or SYSTEMAdministrator or SYSTEM– Getadmin was an early exploit (link Ch 4r)Getadmin was an early exploit (link Ch 4r)– There have been many others, including a There have been many others, including a

buffer overrun MS03-013 (link Ch 4s)buffer overrun MS03-013 (link Ch 4s)

SYSTEM statusSYSTEM status

The SYSTEM account is more powerful The SYSTEM account is more powerful than the Administrator accountthan the Administrator account

The Administrator can schedule tasks to The Administrator can schedule tasks to be performed as SYSTEMbe performed as SYSTEM– It's more complicated in Vista, but still It's more complicated in Vista, but still

possiblepossible

Making a SYSTEM Task in VistaMaking a SYSTEM Task in Vista

Start, Task SchedulerStart, Task Scheduler

Action, Create TaskAction, Create Task

Change User or Group, select SYSTEMChange User or Group, select SYSTEM

Fill in wizard, notepad.exeFill in wizard, notepad.exe

You can see it in Task Manager, but it's You can see it in Task Manager, but it's not interactive (see link Ch 4t)not interactive (see link Ch 4t)

Preventing Privilege Escalation Preventing Privilege Escalation

Keep machines patchedKeep machines patched

Restrict interactive logon to trusted Restrict interactive logon to trusted accountsaccounts– Start, secpol.mscStart, secpol.msc– Deny log on locallyDeny log on locally

Extracting and Cracking Extracting and Cracking PasswordsPasswords

Once Administrator-equivalent status has Once Administrator-equivalent status has been obtained on one machinebeen obtained on one machine

Attackers often want to penetrate deeper Attackers often want to penetrate deeper into the network, so they want passwordsinto the network, so they want passwords

Grabbing the Password Hashes Grabbing the Password Hashes

Stored in in the Windows Security Stored in in the Windows Security Accounts Manager (SAM) under NT4 and Accounts Manager (SAM) under NT4 and earlier, andearlier, andIn the Active Directory on Windows 2000 In the Active Directory on Windows 2000 and greater domain controllers (DCs) and greater domain controllers (DCs) The SAM contains the usernames and The SAM contains the usernames and hashed passwords of all users hashed passwords of all users – The counterpart of the /etc/passwd file from The counterpart of the /etc/passwd file from

the UNIX world the UNIX world

Obtaining the Hashes Obtaining the Hashes

NT4 and earlier stores password hashes NT4 and earlier stores password hashes in %systemroot%\system32\config\SAMin %systemroot%\system32\config\SAM– It's locked as long as the OS is runningIt's locked as long as the OS is running– It's also in the Registry key It's also in the Registry key

HKEY_LOCAL_MACHINE\ SAM HKEY_LOCAL_MACHINE\ SAM

On Windows 2000 and greater domain On Windows 2000 and greater domain controllers, password hashes are kept in controllers, password hashes are kept in the Active Directorythe Active Directory– %windir%\WindowsDS\ntds.dit%windir%\WindowsDS\ntds.dit

How to Get the HashesHow to Get the Hashes

Easy way: Just use CainEasy way: Just use Cain

Cracker tab, right-click, "Add to List"Cracker tab, right-click, "Add to List"

How Cain WorksHow Cain Works

Injects a DLL into a highly privileged Injects a DLL into a highly privileged process in a running systemprocess in a running system

That's how pwdump, Cain, and Ophcrack That's how pwdump, Cain, and Ophcrack do itdo it– Link Ch 4xLink Ch 4x

Other Ways to Get the HashesOther Ways to Get the Hashes

Boot the target system to an alternate OS and Boot the target system to an alternate OS and copy the files to removable mediacopy the files to removable media

Copy the backup of the SAM file created by the Copy the backup of the SAM file created by the Repair Disk UtilityRepair Disk Utility– But this file is protected by SYSKEY encryption, which But this file is protected by SYSKEY encryption, which

makes it harder to crack (perhaps impossible)makes it harder to crack (perhaps impossible)– Links Ch 4u, 4v, 4wLinks Ch 4u, 4v, 4w

Sniff Windows authentication exchangesSniff Windows authentication exchanges

pwdump2 Countermeasures pwdump2 Countermeasures

There is no defense against pwdump2, 3, There is no defense against pwdump2, 3, 4, Cain, Ophcrack, etc.4, Cain, Ophcrack, etc.

But the attacker needs local Administrative But the attacker needs local Administrative rights to use themrights to use them

Cracking Passwords Cracking Passwords

The hash is supposed to be really difficult The hash is supposed to be really difficult to reverseto reverse– NTLM hashes are really hard to breakNTLM hashes are really hard to break– But Windows XP and earlier still use LM But Windows XP and earlier still use LM

Hashes for backwards compatibilityHashes for backwards compatibility– They are turned off by default in VistaThey are turned off by default in Vista

No Salt!No Salt!

To make hashing stronger, add a random To make hashing stronger, add a random "Salt" to a password before hashing it"Salt" to a password before hashing it

Windows doesn't salt its hash!Windows doesn't salt its hash!

Two accounts with the same password hash Two accounts with the same password hash to the same result, even in Windows 7 Beta!to the same result, even in Windows 7 Beta!

This makes it possible to speed up password This makes it possible to speed up password cracking with precomputed Rainbow Tablescracking with precomputed Rainbow Tables

DemonstrationDemonstration

Here are two accounts on a Windows 7 Beta Here are two accounts on a Windows 7 Beta machine with the password 'password'machine with the password 'password'

This hash is from a different Windows 7 Beta This hash is from a different Windows 7 Beta machinemachine

Linux Salts its HashesLinux Salts its Hashes

Brute Force v. DictionaryBrute Force v. Dictionary

There are two techniques for cracking There are two techniques for cracking passwordspasswords– Brute ForceBrute Force

Tries all possible combinations of charactersTries all possible combinations of characters

– DictionaryDictionaryTries all the words in a word list, such as able, Tries all the words in a word list, such as able, baker, cow…baker, cow…

May try variations such as ABLE, Able, @bl3, etc.May try variations such as ABLE, Able, @bl3, etc.

Password-Cracking Password-Cracking Countermeasures Countermeasures

Strong passwords – not dictionary words, Strong passwords – not dictionary words, long, complexlong, complex

Add non-printable ASCII characters like Add non-printable ASCII characters like (NUM LOCK) ALT255 or (NUM LOCK) (NUM LOCK) ALT255 or (NUM LOCK) ALT-129 ALT-129

Ways to Speed CracksWays to Speed Cracks

Rainbow tables trade time for memory with Rainbow tables trade time for memory with precomputed hashesprecomputed hashes

Elcomsoft Distributed Password RecoveryElcomsoft Distributed Password Recovery– Uses many machines together, and their Uses many machines together, and their

graphics cards, to make cracking 100x fastergraphics cards, to make cracking 100x faster– Link Ch 4fLink Ch 4f

Dumping Cached Passwords Dumping Cached Passwords

Local Security Authority (LSA) Secrets Local Security Authority (LSA) Secrets – Contains unencrypted logon credentials for Contains unencrypted logon credentials for

external systemsexternal systems– Available under the Registry subkey of Available under the Registry subkey of

HKEY_LOCAL_MACHINE\SECURITY\Policy\HKEY_LOCAL_MACHINE\SECURITY\Policy\SecretsSecrets

– Encrypted when the machine is off, but Encrypted when the machine is off, but decrypted and retained in memory after login decrypted and retained in memory after login

Contents of LSA SecretsContents of LSA Secrets

Service account passwords in Service account passwords in plaintext.plaintext. – Accounts in external domainsAccounts in external domains

Cached password hashes of the last ten Cached password hashes of the last ten users to log on to a machineusers to log on to a machineFTP and web-user plaintext passwords FTP and web-user plaintext passwords Remote Access Services (RAS) dial-up Remote Access Services (RAS) dial-up account names and passwordsaccount names and passwordsComputer account passwords for domain Computer account passwords for domain accessaccess

Scary DemoScary Demo

Boot Win XP, log in with your usual Admin Boot Win XP, log in with your usual Admin acctacctChange your passwordChange your passwordUse Cain to dump the LSA Secrets – your Use Cain to dump the LSA Secrets – your password is just right there in the password is just right there in the DefaultPasswordDefaultPasswordLog in as a different Administrator userLog in as a different Administrator userThe LSA Secrets show your other The LSA Secrets show your other account's password!account's password!– Link Ch 4z01Link Ch 4z01

Win XP Password in LSA SecretsWin XP Password in LSA Secrets

LSA Secrets Countermeasures LSA Secrets Countermeasures

There's not much you can do—Microsoft There's not much you can do—Microsoft offers a patch but it doesn't help muchoffers a patch but it doesn't help much– Microsoft KB Article ID Q184017 (link Ch Microsoft KB Article ID Q184017 (link Ch

4z02)4z02)

Vista seems far less vulnerableVista seems far less vulnerable

Local Admin rights can lead to Local Admin rights can lead to compromise of other accounts that compromise of other accounts that machine has logged in tomachine has logged in to

Previous Logon Cache Dump Previous Logon Cache Dump

If a domain member cannot reach the domain If a domain member cannot reach the domain controller, it performs an offline logon with controller, it performs an offline logon with cached credentialscached credentials

The last ten domain logons are stored in the The last ten domain logons are stored in the cache, in an encrypted and hashes formcache, in an encrypted and hashes form

The tool CacheDump can reverse the encryption The tool CacheDump can reverse the encryption and get the hashed passwordsand get the hashed passwords– Download it at link Ch 4z03Download it at link Ch 4z03– More info at links Ch 4z04, 4z05More info at links Ch 4z04, 4z05

CacheDump Results CacheDump Results

John the Ripper can crack these hashes John the Ripper can crack these hashes with brute-force and dictionary attackswith brute-force and dictionary attacks– Another cracking tool is cachebf (link Ch z06)Another cracking tool is cachebf (link Ch z06)

Previous Logon Cache Dump Previous Logon Cache Dump Countermeasures Countermeasures

You need Administrator or SYSTEM You need Administrator or SYSTEM privileges to get the hashesprivileges to get the hashes

You can also adjust the Registry to You can also adjust the Registry to eliminate the cached credentialseliminate the cached credentials– But then users won't be able to log in when a But then users won't be able to log in when a

when a domain controller is not accessible when a domain controller is not accessible

Remote Control and Back Doors Remote Control and Back Doors

Command-line Remote Control Tools Command-line Remote Control Tools

Netcat for WindowsNetcat for Windows– Download it at link Ch 3dDownload it at link Ch 3d– Use this syntax to listen on port 8080, and execute Use this syntax to listen on port 8080, and execute

cmdcmd

– Add –d for stealth mode (no interactive console)Add –d for stealth mode (no interactive console)– Obviously this is very dangerous—remote control with Obviously this is very dangerous—remote control with

no logonno logon

Connecting to the nc ListenerConnecting to the nc Listener

On another machine connect with On another machine connect with – TELNET TELNET IP IP 80808080

– You get a shell on the other machineYou get a shell on the other machine

– Works on VistaWorks on Vista

PsExecPsExec

From SysInternals (now part of Microsoft)From SysInternals (now part of Microsoft)

Allows remote code execution (with a Allows remote code execution (with a username and password)username and password)– Link Ch 4z07Link Ch 4z07

Graphical Remote Control Graphical Remote Control

The Windows Built-in Terminal Services The Windows Built-in Terminal Services (aka Remote Desktop) listens on port (aka Remote Desktop) listens on port 33893389– It's not on by defaultIt's not on by default

VNC is free and very commonly used for VNC is free and very commonly used for graphic remote controlgraphic remote control– Can easily be installed remotelyCan easily be installed remotely– Link Ch 4z08Link Ch 4z08

VNC as used in MetaSploitVNC as used in MetaSploit

Remote Access ToolsRemote Access Tools

TeamViewer (link Ch 4z19)TeamViewer (link Ch 4z19)– My favorite, easy to use, free & safeMy favorite, easy to use, free & safe

Poison Ivy (link Ch 4z09)Poison Ivy (link Ch 4z09)

GoToMyPC (link Ch 4z10)GoToMyPC (link Ch 4z10)

LogMeIn Hamachi (link Ch 4z11)LogMeIn Hamachi (link Ch 4z11)

Port Redirection Port Redirection

Fpipe is a port redirection tool from Fpipe is a port redirection tool from FoundstoneFoundstone– Link Ch 4z12Link Ch 4z12

Covering TracksCovering Tracks

Once intruders have Administrator or Once intruders have Administrator or SYSTEM-equivalent privileges, they will:SYSTEM-equivalent privileges, they will:– Hide evidence of intrusionHide evidence of intrusion– Install backdoorsInstall backdoors– Stash a toolkit to use for regaining control in Stash a toolkit to use for regaining control in

the future and to use against other systemsthe future and to use against other systems

Disabling Auditing Disabling Auditing

The auditpol /disable command will stop The auditpol /disable command will stop auditingauditing

Auditpol /enable will turn it back on againAuditpol /enable will turn it back on again– Auditpol is included in VistaAuditpol is included in Vista– Part of the Resource Kit for earlier versions Part of the Resource Kit for earlier versions

(XP, NT, 2000 Server)(XP, NT, 2000 Server)

Clearing the Event Log Clearing the Event Log

ELsave – command-line log clearing toolELsave – command-line log clearing tool– Written for Windows NTWritten for Windows NT– Link Ch 4z15Link Ch 4z15

Hiding FilesHiding Files

Attrib +h filenameAttrib +h filename– Sets the Hidden bit, which hides files Sets the Hidden bit, which hides files

somewhatsomewhat

Alternate Data StreamsAlternate Data Streams– Hide a file within a fileHide a file within a file– A NT feature designed for compatibility with A NT feature designed for compatibility with

MacintoshMacintosh

Demonstration of ADSDemonstration of ADS

ADS With Binary FilesADS With Binary Files

You need the cp command (supposedly in You need the cp command (supposedly in the Resource Kit, although I can't find it the Resource Kit, although I can't find it available free online)available free online)

To detect alternate data streams, use To detect alternate data streams, use LADS (link Ch 4z16)LADS (link Ch 4z16)

RootkitsRootkits

Rootkits are the best way to hide files, Rootkits are the best way to hide files, accounts, backdoors, network accounts, backdoors, network connections, etc. on a machineconnections, etc. on a machine

More on rootkits in a later chapterMore on rootkits in a later chapter

General Countermeasures to General Countermeasures to Authenticated CompromiseAuthenticated Compromise

Once a system has been compromised Once a system has been compromised with administrator privileges, you should with administrator privileges, you should just reinstall it completelyjust reinstall it completely– You can never be sure you really found and You can never be sure you really found and

removed all the backdoorsremoved all the backdoors

But if you want to clean it, here are But if you want to clean it, here are techniques:techniques:

Suspicious FilesSuspicious Files

Known dangerous filenames like nc.exeKnown dangerous filenames like nc.exe

Run antivirus softwareRun antivirus software

Use Tripwire or other tools that identify Use Tripwire or other tools that identify changes to system fileschanges to system files– Link Ch 4z13Link Ch 4z13

Suspicious Registry EntriesSuspicious Registry Entries

Look for registry keys that start known Look for registry keys that start known backdoors like"backdoors like"– HKEY_USERS\.DEFAULT\Software\HKEY_USERS\.DEFAULT\Software\

ORL\WINVNC3 ORL\WINVNC3 – HKEY_LOCAL_MACHINE\SOFTWARE\HKEY_LOCAL_MACHINE\SOFTWARE\

Net Solutions\NetBus Server Net Solutions\NetBus Server

A Back-Door Favorite: Autostart A Back-Door Favorite: Autostart Extensibility Points (ASEPs) Extensibility Points (ASEPs)

Ways to Make a Program Run at Ways to Make a Program Run at Startup in VistaStartup in Vista

Registry keysRegistry keys– Run or RunOnce or Policies\Explorer\RunRun or RunOnce or Policies\Explorer\Run– Load valueLoad value– RunServices or RunServicesOnceRunServices or RunServicesOnce– Winlogon or BootExecuteWinlogon or BootExecute

Scheduled TasksScheduled Tasks

Win.iniWin.ini

Group PolicyGroup Policy

Shell service objectsShell service objects

Logon scriptsLogon scripts

Suspicious ProcessesSuspicious Processes

Process Process ExplorerExplorerLink Ch 4z14Link Ch 4z14

Suspicious PortsSuspicious Ports

Use Use netstat -aonnetstat -aon to view network to view network connectionsconnections

Software ExplorerSoftware Explorer

Part of Windows Defender in VistaPart of Windows Defender in Vista

Windows Security Features Windows Security Features

Windows FirewallWindows FirewallAutomated Updates Automated Updates Security Center (Action Center in Windows Security Center (Action Center in Windows 7 Beta)7 Beta)

Windows Security Features Windows Security Features

Group PolicyGroup Policy– Allows customized security settings in Allows customized security settings in

domainsdomains

Encryption: BitLocker and EFSEncryption: BitLocker and EFSEFS encrypts foldersEFS encrypts foldersBitLocker encrypts the whole hard driveBitLocker encrypts the whole hard drive– In Windows 7 Beta, BitLocker can encrypt In Windows 7 Beta, BitLocker can encrypt

removable USB devicesremovable USB devices

Video: Hacking BitLockerVideo: Hacking BitLocker

Least PrivilegeLeast Privilege

Most Windows users use an Most Windows users use an Administrative accout all the timeAdministrative accout all the time– Very poor for security, but convenientVery poor for security, but convenient– For XP, 2003, and earlier: log on as a limited For XP, 2003, and earlier: log on as a limited

user, use runas to elevate privileges as user, use runas to elevate privileges as neededneeded

– For Vista and later versions, this process is For Vista and later versions, this process is automated by User Account Controlautomated by User Account Control