Security Features in Security Features in Microsoft® Windows® XPMicrosoft® Windows® XP

James Noyce, Senior ConsultantJames Noyce, Senior ConsultantSecurity Solutions Team, Business Critical ServicesSecurity Solutions Team, Business Critical Services

Microsoft Security Solutions, Feb 4, 2003Microsoft Security Solutions, Feb 4, 2003

AgendaAgenda

Windows XP Security FeaturesWindows XP Security Features What’s New Since Windows What’s New Since Windows

20002000 Drill down intoDrill down into

Secure Wireless NetworkingSecure Wireless Networking Group PolicyGroup Policy Software Restriction PoliciesSoftware Restriction Policies Internet Connection FirewallInternet Connection Firewall

Security Is Only As Strong Security Is Only As Strong As The Weakest LinkAs The Weakest Link Technology is neither the whole Technology is neither the whole

problem nor the whole solutionproblem nor the whole solution Secure systems depend upon Secure systems depend upon

Technology, Processes and PeopleTechnology, Processes and People

Baseline technologyBaseline technologyStandards, Encryption, ProtectionStandards, Encryption, ProtectionProduct security featuresProduct security featuresSecurity tools and productsSecurity tools and products

Planning for securityPlanning for securityPreventionPreventionDetection Detection ReactionReaction

Technology, Process, PeopleTechnology, Process, People

Dedicated staffDedicated staffTrainingTrainingSecurity - a mindset and a prioritySecurity - a mindset and a priority

Microsoft Windows Security EnhancementsMicrosoft Windows Security EnhancementsSecurity FeatureSecurity Feature Windows 98Windows 98 Windows 2000Windows 2000 Windows XPWindows XPIntegrated Wireless Integrated Wireless NetworkingNetworking

Add-onAdd-on New with Windows XPNew with Windows XP

Internet Connection FirewallInternet Connection Firewall Available Third PartyAvailable Third Party New with Windows XPNew with Windows XP

Secure Networking (IPSec)Secure Networking (IPSec) StandardStandard StandardStandard

User-Level Security for User-Level Security for shared files, foldersshared files, folders

StandardStandard StandardStandard

Encrypting File SystemEncrypting File System StandardStandard StandardStandard

Public Key InfrastructurePublic Key Infrastructure StandardStandard StandardStandard

Group Policy ObjectsGroup Policy Objects StandardStandard StandardStandard

AuditingAuditing StandardStandard StandardStandard

Smart Card SupportSmart Card Support Available Third PartyAvailable Third Party StandardStandard StandardStandard

Multi-User SupportMulti-User Support Limited SupportLimited Support StandardStandard StandardStandard

Screen Saver Password Screen Saver Password ProtectionProtection

StandardStandard StandardStandard StandardStandard

Strong AuthenticationStrong Authentication Limited SupportLimited Support StandardStandard StandardStandard

Evolution of Windows Desktop SecurityEvolution of Windows Desktop Security

Windows XP Security FeaturesWindows XP Security Features

Users and GroupsUsers and Groups Rights and Rights and

PermissionsPermissions KerberosKerberos Crypto APICrypto API Data Protection Data Protection

APIAPI Screen Saver Screen Saver

PasswordPassword Digital CertificatesDigital Certificates Smart Card LogonSmart Card Logon Remote AccessRemote Access

AuditingAuditing IP SecurityIP Security Encrypting File SystemEncrypting File System Group PolicyGroup Policy 802.1x Network 802.1x Network

AuthenticationAuthentication Credentials ManagerCredentials Manager Software Restriction Software Restriction

PoliciesPolicies Internet Connection Internet Connection

FirewallFirewall

Builds on Windows 2000 Professional Security Features

Existing Security FeaturesExisting Security Features

Users and GroupsUsers and Groups Rights and PermissionsRights and Permissions KerberosKerberos Crypto APICrypto API Data Protection APIData Protection API Screen Saver PasswordScreen Saver Password

Enhanced Security FeaturesEnhanced Security Features

Digital CertificatesDigital Certificates *Auto enrolment and renewal for *Auto enrolment and renewal for

usersusers Smart Card LogonSmart Card Logon

Supports Remote DesktopSupports Remote Desktop IP Security (IPSec)IP Security (IPSec)

Stronger D/H key exchangeStronger D/H key exchange NAT traversalNAT traversal

Enhanced Security FeaturesEnhanced Security Features

AuditingAuditing *More granular operation based auditing*More granular operation based auditing

Remote Access (VPN, DUN and PPoE)Remote Access (VPN, DUN and PPoE) Leverages Internet Connection FirewallLeverages Internet Connection Firewall L2TP/IPSec over NATL2TP/IPSec over NAT

Group PolicyGroup Policy Increased number of policy settingsIncreased number of policy settings Resultant Set of Policy (RSoP)Resultant Set of Policy (RSoP)

Active Directory Group Active Directory Group PolicyPolicy

Group PolicyGroup Policy

Password Password PolicyPolicy

Lockout PolicyLockout Policy Kerberos PolicyKerberos Policy Audit PolicyAudit Policy User RightsUser Rights Security Security

Options Options (Registry (Registry Values)Values)

Event Log Event Log SettingsSettings

Restricted Restricted GroupsGroups

System Services System Services (start-up mode (start-up mode and ACLs)and ACLs)

Registry ACLsRegistry ACLs File System File System

ACLsACLs

Security Configuration Security Configuration ToolsetToolset

Use GPEDIT.MSC to edit Local Group Use GPEDIT.MSC to edit Local Group PolicyPolicy

Use SECPOL.MSC to edit Local Use SECPOL.MSC to edit Local Security PolicySecurity Policy

Security Configuration and Analysis Security Configuration and Analysis (SCA) to perform auditing and handle (SCA) to perform auditing and handle templatestemplates Use SCA to import/export security Use SCA to import/export security

templates (.INF files) for distribution via templates (.INF files) for distribution via Group PolicyGroup Policy

Enhanced Security FeaturesEnhanced Security Features

Encrypting File SystemEncrypting File System Support for AESSupport for AES EFS over WebDAVEFS over WebDAV Shared EFSShared EFS

Misc…Misc… Controlled network accessControlled network access Offline file synchronisationOffline file synchronisation

New Security FeaturesNew Security Features

802.1x Network Authentication802.1x Network Authentication Credentials ManagerCredentials Manager Software Restriction PoliciesSoftware Restriction Policies Internet Connection FirewallInternet Connection Firewall

802.1x Network Authentication802.1x Network Authentication

Secure wired and wireless Secure wired and wireless networks from unauthorised networks from unauthorised accessaccess

Do not confuse with Do not confuse with 802.11b/802.11x/etc…802.11b/802.11x/etc…

Imagine authenticating computer / Imagine authenticating computer / user to the network port on the user to the network port on the wallwall

Then picture the accessing the Then picture the accessing the network port via wireless…network port via wireless…

802.1x Network Authentication802.1x Network Authentication

Supports password based (PEAP) Supports password based (PEAP) and certificate based (EAP-TLS) and certificate based (EAP-TLS) credentialscredentials

Dynamic, rotating WEP keysDynamic, rotating WEP keys Requires backend infrastructureRequires backend infrastructure

Internet Authentication Service (IAS)Internet Authentication Service (IAS) Domain ControllerDomain Controller Certificate AuthorityCertificate Authority

802.1x Network Authentication802.1x Network Authentication

Ethernet SwitchEthernet Switch

LAN AccessLAN Access

IAS/RADIUS ServerIAS/RADIUS ServerPKI ServerPKI Server

Wireless Access PointWireless Access Point

WLAN AccessWLAN Access

Active DirectoryActive Directory

Authentication Authentication And PolicyAnd Policy

AuditingAuditing

Credentials ManagerCredentials Manager

Users receive seamless Users receive seamless access resources for which access resources for which they have valid credentialsthey have valid credentials Provide a common UI for Provide a common UI for

gathering credentialsgathering credentials Provide per user safe Provide per user safe

storage of related storage of related credentialscredentials

Unlock those credentials Unlock those credentials using your user logon using your user logon

Credentials ManagerCredentials Manager

Secure roaming storage for user Secure roaming storage for user credentialscredentials Username, passwordUsername, password X.509 certificates (smart cards)X.509 certificates (smart cards) PassportPassport

Software Restriction PoliciesSoftware Restriction Policies

Restricts execution of unmanaged codeRestricts execution of unmanaged code WIN32, scripts, etc…WIN32, scripts, etc…

Not to be confused with managed code restrictions Not to be confused with managed code restrictions in the .NET Frameworkin the .NET Framework

Internet Connection FirewallInternet Connection Firewall

Provides Provides baseline intrusion preventionbaseline intrusion prevention Protects against scans for informationProtects against scans for information Denies all unsolicited inbound trafficDenies all unsolicited inbound traffic

Stateful inspection of trafficStateful inspection of traffic Configurable filtering and loggingConfigurable filtering and logging Enabled or disabled via location aware Enabled or disabled via location aware

Active Directory group policyActive Directory group policy

SummarySummary

Most security features build Most security features build upon what was present in upon what was present in Windows 2000 ProfessionalWindows 2000 Professional

New security features simplify New security features simplify security management and security management and reduce riskreduce risk

Next StepsNext Steps

Top 5 Web ResourcesTop 5 Web Resources

http://www.microsoft.com/windowsxp/pro/techinfo/http://www.microsoft.com/windowsxp/pro/techinfo/

http://www.microsoft.com/technet/prodtechnol/winxppro/default.asphttp://www.microsoft.com/technet/prodtechnol/winxppro/default.asp

http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/prork_overview.aspprork_overview.asp

http://www.nsa.gov/snac/winxp/download.htmhttp://www.nsa.gov/snac/winxp/download.htm

http://www.microsoft.com/security http://www.microsoft.com/security

http://www.microsoft.com/uk/security http://www.microsoft.com/uk/security