《Windows7桌面安全》由会员分享,可在线阅读,更多相关《Windows7桌面安全(57页珍藏版)》请在金锄头文库上搜索。
1、第六章Windows 7桌面安全概述Windows 7中安全管理概述使用本地组策略加强Windows 7安全使用EFS和BitLocker实现数据安全配置应用程序限制配置用户账户控制配置 Windows Firewall配置Internet Explorer 8中的安全设置配置Windows DefenderWhat Is Action Center?Demonstration: Configuring Action Center SettingsLesson 1: Windows 7中安全管理概述Windows 7关键安全功能Windows 7关键安全功能Encrypting (EFS) W
2、indows BitLocker and BitLocker To Go Windows AppLocker User Account Control Windows Firewall with Advanced Security Windows Defender Windows 7 Action Center 什么是操作中心?Select the items that you want checked for user alerts Action Center is a central location for viewing messages about your system and t
3、he starting point for diagnosing and solving issues with your systemDemo: 配置操作中心设置In this demonstration, you will see how to: Change Action Center Settings Change User Control Settings View Archived Messages 10 minLesson 2:使用本地组策略加强Windows 7安全什么是组策略?组策略对象如何被执行?多本地组策略如何工作Demo: 创建多本地组策略Demo: 配置本地安全策略设
4、置什么是组策略?组策略可以使组策略可以使IT管理员实现对用户和计算机一对多的管理管理员实现对用户和计算机一对多的管理使用组策略使用组策略:执行标准化配置部署软件强制安全设置强制桌面环境的一致性本地组策略影响登录到该计算机的本地或域用户本地组策略影响登录到该计算机的本地或域用户组策略对象如何被执行?计算机设置在启动时和到策略更新周期时执行,用户设置在用计算机设置在启动时和到策略更新周期时执行,用户设置在用户登录或到策略更新周期时执行户登录或到策略更新周期时执行组策略处理顺序组策略处理顺序:1. Local GPOs2. Site-level GPOs3. Domain GPOs4. OU GPO
5、s多本地组策略如何工作多本地组策略允许管理员应用不同的本地策略到本地的用户多本地组策略允许管理员应用不同的本地策略到本地的用户.本地组策略对象可以应用到本地组策略对象可以应用到3个级别的用户个级别的用户:1.本地组策略对象应用到本地计算机和所有用户.2.管理员组和非管理员组,只包含用户设置.3.指定的用户,最后被执行,仅包含用户设置,应用到指定的用户.Demo: 创建多本地组策略In this demonstration, you will see how to: Create a custom management console Configure the Local Computer P
6、olicyConfigure the Local Computer Administrators Policy Configure the Local Computer Non-Administrators Policy Test multiple local group policies 10 minDemo: 配置本地安全策略设置In this demonstration, you will see how to review the local security group policy settings 10 minLesson 3:使用EFS和BitLocker实现数据安全什么是EF
7、S?Demo: 使用EFS加密和解密文件和文件夹什么是BitLocker?BitLocker需求BitLocker模式BitLocker组策略设置配置BitLocker配置BitLocker to Go恢复BitLocker加密驱动器什么是EFS?Encrypting (EFS) is the built-in tool for Windows .Enables transparent and decryptionRequires the appropriate cryptographic (symmetric) key to read the encrypted dataEach user
8、must have a public and private key pair that is used to protect the symmetric key A users public and private keys:Can either be self-generated or issued from a Certificate AuthorityAre protected by the users passwordAllows files to be shared with other user certificates 支持将私钥存储到智能卡上 Encrypting Rekey
9、ing wizard 新的EFS组策略设置 加密系统页面文件 支持AIS256位加密 Windows 7中中EFS新功能新功能基于每用户的脱机文件加密 Demo:使用EFS加密和解密文件和文件夹In this demonstration, you will see how to: Encrypt files and foldersConfirm the files and folders have been encryptedDecrypt files and foldersConfirm the files and folders have been decrypted10 min什么是Bi
10、tLocker?Windows BitLocker驱动加密可以加密存储在系统卷上的操作系统和数据 提供对离线数据保护的支持 保护所有安装在加密卷上的应用程序数据 包含系统完整性校验 校验启动组件和启动配置数据t configuration data 抱着启动过程的完整性 BitLocke需求加密和解密密钥加密和解密密钥:硬件需求硬件需求:BitLocker加密需要:计算机带有TPM(v1.2或更新)芯片可移动USB设备有足够的可用空间,BitLocker需要创建两个分区BIOS兼容TPM,同时系统启动时需要USB设备支持BitLocker模式Windows 7支持两种操作模式支持两种操作模式:
11、TPM模式无-TPM模式TPM modeLocks the normal boot process until the user optionally supplies a personal PIN and/or inserts a USB drive containing a BitLocker startup keyThe encrypted disk must be located in the original computerPerforms system integrity verification on boot componentsIf any items changed un
12、expectedly, the drive is locked and prevented from being accessed or decrypted无无-TPM模式模式使用组策略来允许BitLocker工作在无TPM模式锁定启动过程类似于TPM模式,BitLocker启动密钥必须存储在USB设备上计算机的BIOS必须能读取USB驱动器提供受限的验证 不能执行BitLocker系统完整性检查Settings for Removable Data DrivesGroup Policy provides the following settings for BitLocker:Turn on
13、 BitLocker backup to Active Directory Domain ServicesConfigure the recovery folder on Control Panel SetupEnable advanced startup options on Control Panel SetupConfigure the encryption methodPrevent memory overwrite on restartConfigure TPM validation method used to seal BitLocker keysBitLocker的组策略设置S
14、ettings for Fixed Data DrivesLocal Group Policy Settings for BitLocker Drive EncryptionSettings for Operating System Drives Enabling BitLocker initiates a start-up wizard:Validates system requirementsCreates the second partition if it does not already existAllows you to configure how to access an en
15、crypted drive:USBUser function keys to enter the PassphraseNo keyThree methods to enable BitLocker:From System and Settings in Control PanelRight-click the volume to be encrypted in Windows Explorer and select the Turn on BitLocker menu optionUse the command-line tool titled manage-bde.wsfInitiating
16、 BitLocker through Windows Explorer通过控制台初始化通过控制台初始化BitLocker配置BitLockerManage a Drive Encrypted by BitLocker To GoSelect how to store your recovery keyManage a Drive Encrypted by BitLocker To GoEnable BitLocker To Go Drive Encryption by right-clicking the portable device (such as a USB drive) and th
17、en clicking Turn On BitLockerSelect one of the following settings to unlock a drive encrypted with BitLocker To Go:Unlock with a Recovery Password or passphraseUnlock with a Smart CardAlways auto-unlock this device on this PC配置BitLocker To GoSelect how to unlock the drive through a password or by us
18、ing a SmartcardEncrypt the Drive恢复BitLocker加密的驱动当一台启用当一台启用Bitlocker的计算机启动时的计算机启动时:BitLocker检查操作系统是否有安全隐患如果检查到:BitLocker进入到恢复模式,并保持系统分区锁定用户必须输入正确的恢复密钥才能继续BitLocker恢复密码是恢复密码是:48位数字密码用来解锁系统Unique to a particular BitLocker encryption可以被存储在Active Directory如果存储在活动目录中,通过驱动标签或计算机密码搜索它Lesson 4:配置应用程序限制什么AppL
19、ocker?AppLocker规则Demo: 配置AppLocker规则Demo: 强制AppLocker规则什么是软件限制策略?什么AppLocker?AppLocker的好处:的好处:控制用户如何访问和运行所有类型的应用程序确保用户桌面上只能运行允许的程序和许可的软件AppLocker是是Windows 7中的一项新安全功能,使得中的一项新安全功能,使得IT管理员可以指定管理员可以指定用户可以执行那些应用程序用户可以执行那些应用程序默认规则默认规则:所有用户可以运行默认程序文件目录下的文件所有用户可以运行经过Windows操作系统签名过的文件内置管理员组可以运行所有文件首先,在手工创建新规
20、则之前,创建默认首先,在手工创建新规则之前,创建默认AppLocker规则,然后字定义规则,然后字定义规则规则创建自定义规则创建自定义规则在本地安全策略控制台使用AppLocker向导自动生成规则 你可以配置执行规则、 Windows Installer规则、脚本规则 你可以指定一个包含.exe文件的文件夹给某条规则 你可以创建某个.exe文件的例外规则 你可以创建基于数字签名的应用程序规则 你可以手工创建一个自定义特殊执行规则 AppLocker规则Demo: 配置AppLocker规则In this demonstration, you will see how to: Create ne
21、w executable ruleCreate new Windows Installer ruleAutomatically generate Script rules10 minDemo: 强制AppLocker规则In this demonstration, you will see how to: Enforce AppLocker RulesConfirm the executable rule enforcementConfirm the Windows Installer rule enforcement10 min什么是软件限制策略?软件限制策略软件限制策略(SRP)可以明确用
22、户可以允许执行那些软件可以明确用户可以允许执行那些软件SRP是Windows XP 和 Windows Server 2003支持的策略SRP是设计用来帮助组织控制一些不允许执行的未知代码和恶意的程序SRP包含默认安全级别,所有的规则都在组策略应用时被执行How does SRP compare to Windows AppLocker?AppLocker是用来替换软件限制策略的 SRP控制台和SRP规则在Windows7 同样也支持,主要用来实现向下兼容性 AppLocker规则完全独立于SRP规则 AppLocker组策略独立于SRP组策略 If AppLocker规则定义于一个GPO中,
23、只有指定规则被应用 根据企业客户端版本分别定义AppLocker和SRP规则 SRP和和AppLocker比较比较Lesson 5:配置用户账户控制什么UAC?UAC如何工作Demo: 配置UAC的组策略设置配置UAC提示设置什么UAC?用户账户控制用户账户控制(UAC)是一项安全功能,使得用户在标准用户模式下执行必须是一项安全功能,使得用户在标准用户模式下执行必须的日常任务的日常任务UAC必要时会要求用户提升到管理员模式下执行相应的操作Windows 7增强了用户控制的提升体验UAC如何工作在Windows 7中,当用户执行一项需要管理员特权的任务时,会出现什么提示?Administrati
24、veUsersUAC prompts the user for permission to complete the task Standard UsersUAC prompts the user for the credentials of a user with administrative privilegesDemo: 配置UAC的组策略设置In this demonstration, you will see how to: Open the User Accounts windowReview user groupsView the Credential PromptChange
25、User Account Settings and View the Consent Prompt10 min配置UAC提示设置UAC的用户体验级别有:的用户体验级别有:Always notify meNotify me only when programs try to make changes to my computerNotify me only when programs try to make changes to my computer (do not dim my desktop)Never notifyLab A: Configuring UAC, Local Securit
26、y Policies, EFS, and AppLockerExercise 1: Configuring virus protection and User Account Control (UAC) notification settings in Action CenterExercise 2: Configuring Multiple Local Group Policies to manage the appearance of selected program iconsExercise 3: Configuring and testing encryption of files
27、and foldersExercise 4: Configuring and testing AppLocker rules to control what programs can be executedLogon informationEstimated time: 50 minutesVirtual machine6292A-LON-DC1 6292A-LON-CL1User nameContosoAdministratorPasswordPa$w0rdLab A Scenario Your company is implementing Windows 7 computers for
28、all corporate users. As an administrator at your organization, you are responsible for configuring the new Windows 7 computers to support various corporate requirements. You have been asked to:Turn off virus protection notificationsVerify the User Account Control (UAC) settings are set to “Always no
29、tify but not dim the desktop”Configure multiple local group policies to control which of the default program icons appear on users and administrators computersEncrypt all sensitive data on computers using EFSUse AppLocker rules to prevent corporate users from running Windows Media Player and install
30、ing unauthorized applicationsLab A ReviewWhere can you turn on and off security messages related to virus protection? What are some of the other security messages that can be configured in Windows 7?How can the notifications about changes to the computer be suppressed?Can multiple local group polici
31、es be created and applied to different users? What are some of the ways of protecting sensitive data in Windows 7? How can Windows 7 users be prevented from running applications, such as Windows Media Player?Lesson 6: 配置Windows Firewall讨论:什么是防火墙?配置基本防火墙设置高级安全Windows防火墙常见应用程序使用的端口Demo: 配置入站、出战连接安全规则讨
32、论:什么是防火墙?1.你们公司正在使用哪种类型的防火墙你们公司正在使用哪种类型的防火墙?2.是什么原因选择的它是什么原因选择的它? 10 min配置网络位置配置网络位置打开或关闭打开或关闭Windows防火墙,自定义网络位置设置防火墙,自定义网络位置设置添加,修改和移除允许的程序添加,修改和移除允许的程序设置和修改多个活动的配置文件设置设置和修改多个活动的配置文件设置配置配置Windows 防火墙提示防火墙提示配置基本防火墙设置高级安全Windows防火墙Windows Firewall with Advanced Security filters incoming and outgoing
33、connections based on its configurationInbound rules explicitly allow or explicitly block traffic that matches criteria in the rule. Outbound rules explicitly allow or explicitly deny traffic originating from the computer that matches the criteria in the rule.Connection security rules secure traffic
34、by using IPsec while it crosses the network. The monitoring interface displays information about current firewall rules, connection security rules, and security associations. The Properties page is used to configure firewall properties for domain, private, and public network profiles, and to configu
35、re IPsec settings.常见应用程序使用的端口当当计计算算机机要要和和远远程程的的主主机机建建立立通通讯讯时时,将将会会创创建建TCP或或UDP的的套套接接字字TCP/IP Protocol SuiteTCP UDP Ethernet HTTPFTPSMTPDNSPOP3SNMPIPv6IPv4ARPIGMP ICMPHTTPSDemo: 配置入站、出战连接安全规则In this demonstration, you will see how to: Configure an Inbound RuleConfigure an Outbound RuleTest the Outbou
36、nd Rule Create a Connection Security RuleReview Monitoring Settings in Windows Firewall15 minLesson 7: 配置Internet Explorer 8的安全设置讨论: Internet Explorer 8在兼容性功能Internet Explorer 8增强的隐私保护功能Internet Explorer 8的SmartScreen功能Internet Explorer 8的其它安全功能Demo: 配置Internet Explorer 8的安全设置讨论: Internet Explorer 8
37、在兼容性功能10 min在你更新在你更新IE时,你会碰到哪些兼容性我呢间时,你会碰到哪些兼容性我呢间?Internet Explorer 8增强的隐私保护功能InPrivate Browsing - inherently more secure than using Delete Browsing History to maintain privacy because there are no logs kept or tracks made during browsing InPrivate Filtering - helps monitor the frequency of all thi
38、rd-party content as it appears across all Web sites visited by the user Enhanced Delete Browsing History - enables users and organizations to selectively delete browsing history Internet Explorer 8的SmartScreen功能Use this link to navigate away from an unsafe Web site and start browsing from a trusted
39、locationUse this link to ignore the warning; the address bar remains red as a persistent warning that the site is unsafeInternet Explorer 8的其它安全功能Per-user ActiveX 使得标准用户可以安装ActiveX控件在自己的用户配置文件里,不需要管理员特权 Per-site ActiveX IT管理员使用组策略预先设置被允许的相关联域的控件 XSS Filter 如果在服务器的响应中出现重播,将被识别为跨站脚本攻击 DEP/NX protectio
40、n -查找内存中没有明确包含可执行代码的数据(这些数据有时会是病毒的源代码),找到这些数据后,NX将它们都标记为“不可执行 Demo: 配置Internet Explorer 8的安全设置In this demonstration, you will see how to: Enable Compatibility View for All Web SitesDelete Browsing HistoryConfigure InPrivate BrowsingConfigure InPrivate FilteringView Add-on Management Interface10 minL
41、esson 8: 配置Windows Defender什么是恶意软件?什么是Windows Defender?Windows Defender的扫描选项Demo: 配置Windows Defender设置什么是恶意软件?恶意软件包括恶意软件包括:病毒蠕虫特洛伊木马间谍软件广告软件恶意软件将导致恶意软件将导致:性能降低数据丢失隐私泄露降低用户的效率未经允许的篡改计算机配置恶恶意意软软件件是是一一种种蓄蓄意意破破话话计计算算机机的的一一种种软软件件. 什么是Windows Defender?Windows Defender是是一一种种安安全全软件件,可可以以用用来来保保护计算算机机对抗抗安安全全风
42、险,它它能能检测和和移移除除已已知知的的间谍软件件. 计划扫描将按原先的计划定期执行提供可配置的响应为严重、高、中、低的警告级别提供可定义的选项来例外文件,文件夹和文件类型通过Windows Update自动安装新的间谍软件定义当当扫描描完完成成时,将将在在主主页显示示结果果.Windows Defender的扫描选项当扫描时,你可以定义当扫描时,你可以定义你可以定义,扫描什么你可以定义,扫描什么OptionDescription扫描归档文件May increase scanning time, but spyware likes to hide in these locations扫描e-m
43、ailScan e-mail messages and attachments扫描可移动驱动器Scan removable drives such as USB flash drives启发式扫描Alert you to potentially harmful behavior if it is not included in a definition file创建还原点If detected items are automatically removed, this restores system settings if you want to use software you did no
44、t intend to removeScan TypeDescription快速扫描扫描计算机最容易被感染相关系统位置完全扫描扫描计算机所有的位置自定义扫描扫描用户指定的位置Demo: 配置Windows Defender设置In this demonstration, you will see how to: Set Windows Defender OptionsView Quarantine ItemsView Allowed ItemsMicrosoft SpyNetWindows Defender Website10 minLab B: Configuring Windows Fir
45、ewall, Internet Explorer 8.0 Security Settings, and Windows DefenderExercise 1: Configuring and Testing Inbound and Outbound Rules in Windows FirewallExercise 2: Configuring and Testing Security Settings in Internet Explorer 8 Exercise 3: Configuring Scan Settings and Default Actions in Windows Defe
46、nderLogon informationEstimated time: 45 minutesVirtual machine6292A-LON-DC1 6292A-LON-CL1User nameContosoAdministratorPasswordPa$w0rdLab B ScenarioYour company has recently implemented Windows 7 computers for all corporate users. Some of the users have been connecting to and from other desktops thro
47、ugh RDP. You need to prevent them from doing so with the use of Windows Firewall. As an administrator at your organization, you are responsible for configuring and testing various security settings: In Internet Explorer 8, including InPrivate Browsing, InPrivate Filtering, and the compatibility view
48、 for all Web sites. To prevent malware from infecting computers you need to configure Windows Defender scan settings, schedule scans to run on Sundays at 10:00 PM and set severe alert items to quarantine. You also need to review what items have been allowed on computers.Lab B ReviewWhat are the type
49、s of rules you can configure in Windows Firewall?What are some of the new security settings in Internet Explorer 8? Will the default Windows Defender settings allow to check for new definitions, regularly scan for spyware and other potentially unwanted software?What are some of the types of scans Windows Defender can perform to detect malicious and unwanted software?Module Review and TakeawaysReview questionsReal-World Issues and Scenarios Common IssuesBest Practices
