Title Details

Byron Hynes works in the Windows Server User Assistance group at Microsoft. He has prior experience running a regional Internet backbone, troubleshooting client-server and Web-enabled applications, and designing network infrastructures and security models. Byron co-authored Hands-On Microsoft Windows Server 2003 Active Directory.

Chapter 1 Administering Vista Security: The Little Surprises.

Restoring the Administrator.

Making Your Own Administrator.

Activating the Administrator Account.

Power Users Are Essentially Gone.

“Run…” Is Off the Start Menu.

BOOT.INI Is Gone, BCD Is Here.

boot.ini Review.

BCD Terminology.

Creating a Second OS Entry.

Understanding Vista Boot Manager Identifiers.

Choosing Timeout and Default OS with bcdedit.

Changing an Entry Option.

Cleaning Up: Deleting OS Entries.

“Documents and Settings” Is Gone, Kind Of.

IPv6 and Network Properties.

Remote Desktop Gets a Bit More Secure.

NTFS and the Registry Are Transaction Based.

Undelete Comes to Windows for Real!

Changes in Security Options.

Changes to Named Pipe Access.

Changes to Share and Registry Access.

LM Deemphasized, NTLMv2 Emphasized.

No More Unsigned Driver Warnings.

Encryption News.

Vista Includes New Cryptographic Services.

You Can Encrypt Your Pagefile.

Offline Files Folders Are Encrypted per User.

New Event Viewer.

XML Format Comes to Event Viewer.

Custom Queries Lets You Customize Event Viewer.

Generating Actions from Events.

Telling the Event Log Service to Display Messages.

Forwarding Events from One Computer to Another.

Subscription Overview.

Creating an Example Subscription.

Troubleshooting Subscription Delays.

Event Forwarding in Workgroups.

Chapter 2 Understanding User Account Control (UAC): “Are You Sure, Mr. Administrator?”

Introducing UAC.

Why UAC Is Good, after All.

UAC Benefits for Users.

UAC Benefits for Admins.

UAC as a Transition Tool.

An Overview of UAC.

Digging Deeper into UAC.

How Windows Creates the Standard User Token.

How to Tell UAC to Use the Administrator Token.

What Tells Windows to Use the Administrator Token.

Reconfiguring User Account Control.

Turning UAC On, Off, or in Overdrive.

Configuring UAC Junior: UAC for the User.

Side Point: How “Administrator-ish” Must You Be to Get UACed?

Excluding the Built-in Administrator.

Telling UAC to Skip the Heuristics.

Controlling Secure Desktop.

Sign or Go Home: Requiring Signed Applications.

Working around Apps That Store Data in the Wrong Places.

The Big Switch: Turning Off UAC Altogether.

Will UAC Succeed?

Summary.

Chapter 3 Help for Those Lame Apps: File and Registry Virtualization.

File and Registry Virtualization Basics.

Seeing File Virtualization in Action.

File and Registry Virtualization Considerations.

Which Areas Are Protected and Where They Are Virtualized.

How Virtualization Handles Files.

How Virtualization Handles the Registry.

What Does “Legacy” Mean, Exactly?

Seeing Virtualization in Standard Versus Administrative Users.

Tracking Virtualization.

A Possible Virtualization Problem.

Controlling Virtualization.

The Future of Virtualization.

Summary.

4 Understanding Windows Integrity Control.

Windows Integrity Control Overview.

Mandatory Controls Versus Discretionary Controls.

The Orange Book.

C2 Certification and NT.

C and B: Discretionary Versus Mandatory.

WIC Components.

WIC’s Six Integrity Levels.

How Objects Get and Store Integrity Levels: Mandatory Labels.

Process Integrity Levels.

Seeing Processes in Action.

Setting Up.

Example: Starting a Low Integrity Application.

Internet Explorer Protected Mode and WIC.

A Prime Directive Puzzle: WIC and Deletes.

Using WIC ACEs to Restrict Access.

Things WIC ACEs Can’t Do.

You Cannot Apply Mandatory Labels with Group Policy.

You Cannot Create Standard Permissions That Name Mandatory Labels.

A Note on Modifying System Files.

Dialing Up Custom Labels.

Meet SDDL Strings.

Understanding the Secret Language of Bs: SDDL Label Syntax.

Using SDDL Strings to Set Integrity Levels.

Summary.

Chapter 5 BitLocker: Solving the Laptop Security Problem.

The Laptop Security Problem Today.

BitLocker Drive Encryption—The Overview.

BitLocker Components.

What Is a TPM?

Full Disk Encryption.

Encryption Algorithm.

Key Storage.

Authentication or Access Control.

Increasing Security with Additional Key Protectors.

Boot Process Validation (Integrity Check).

Enabling BitLocker for the First Time.

Using BitLocker without a TPM.

Summary of Key Protectors.

Recovery.

Recovery Example 1: Desktop Hardware Failure (Stand-alone System without a TPM).

Recovery Example 2: Laptop Hardware Failure (TPM-based).

Recovery Example 3: Lost USB Key (Computer with a TPM).

Recovery Example 4: “Found” Laptop.

Recovery Summary.

BitLocker and Active Directory.

Group Policy Options.

Managing the TPM and BitLocker in the Enterprise.

Servicing a BitLocker-Protected Computer.

Secure Decommissioning.

Planning for BitLocker Deployment.

Summary.

Chapter 6 Post-Boot Protection: Code Integrity, New Code Signing Rules, and PatchGuard.

Address Space Layout Randomization.

Giving 64-bit More Armor.

PatchGuard.

Code Integrity.

What Can Go Wrong?

New Code Signing Rules.

What Is Code Signing and Why Does It Matter?

ActiveX Controls.

Protected Media Path Requirements.

Requirements.

Getting Down to Business: Code Signing an Application or Driver.

Getting Down to Business: Deploying an Application or Driver Signed by a Publisher.

Summary.

Chapter 7 How Vista Secures Services.

Services in Brief.

Service Control Manager.

How Vista Toughens Services: Overview.

Session Separation.

Reducing Service Privileges.

Developers Can Reduce Service Privileges.

Admins Can Also Reduce Service Privileges.

Special Case: Multiple Services Needing Different Privileges.

Reduced Privilege Summary.

Service Isolation.

How Service Isolation Works.

Restricting a Service’s SID.

Granting Write Permissions to a Service SID.

Understanding the sc.exe.

Restricted SID Commands.

Restricting a Service’s Network Ports.

Summary.

Index.