Windows Vista MCSE SecurityMessaging MVPMCT Internet Explorer C

Windows Vista的安全性加強 謝合宜 微軟特約技術顧問 MCSE : Security/Messaging MVP/MCT

Internet Explorer 保護模式 C: . . . Temporary Internet Files C: . . . Startup

釣魚過濾功能(Phishing Filter) URL Reputation Service https: //urs. microsoft. com Known Good URLs IEAPFLTR. DAT

Windows Vista 防火牆

網路封包過濾 Inbound Outbound Default: Block most Few core exceptions Default: Allow all interactive Restrict services Allow rules: Programs, services Users, computers Protocols, ports Block rules: Programs, services Users, computers Protocols, ports

功能比較 Windows XP SP 2 Windows Vista Direction Inbound, outbound Default action Block Configurable for direction Packet types TCP, UDP, some ICMP All Rule types Application, global ports, Multiple conditions from basic five ICMP types -tuple to IPsec metadata Rule actions Block, allow, bypass; with rule merge logic UI and tools Control Panel, netsh C-Panel, more netsh, MMC APIs Public COM, private C More COM to expose rules, more C to expose features Remote management none Via hardened RPC interface Group policy ADM file MMC, netsh Terminology Exceptions; profiles Rules; categories=profiles

Windows Defender Windows Firewall 的管理架構

UAC Architecture Standard User Rights Administrative Rights Admin logon Abby Admin Token “Standard User” Token

UAC Architecture Standard User Rights Standard User Mode Administrative Rights Standard User Mode Standard User Privilege Change Time Zone Run IT Approved Applications Install Fonts Install Printers Run MSN Messenger Etc. User Process User

UAC Architecture Standard User Rights Admin Privileges Administrative Rights Admin Privileges Standard User Privilege Admin Privilege • Change Time Zone Change Time Admin Process • Run IT Approved Applications Admin Privilege • Install Fonts Admin Process • Install Printers • Run MSN Messenger • Etc. User Process Configure IIS User Admin Privilege Install Application Admin Process

Win. Logon 架構 Windows XP Session 0 Win. Logon LSA User GP Profiles Machine GP MSGINA. D LL SCM Shell Other Sessions Win. Logon User GP MSGINA. D LL Shell

Win. Logon 架構 Windows Vista Session 0 LSA Win. Init SCM RCM Profiles Group Policy Other Sessions Win. Logon. UI Credentia l Provider 1 2 3

Credential Providers 使用者登入 1. Ctrl + Alt + Delete 5. 點選圖示，輸入 使用者名稱、密碼 Win. Logon 2. 要求身份 資料 9. LSALogon. User 8. 傳回身份 資訊 4. 顯示介面 6. 取得使用者 輸入的資料 Logon. UI Credential Provider Interfaces 3. 取得身份資料資訊 Credential Provider 1 LSA Credential Provider 2 7. 取得登入的身 份資訊 Credential Provider 3

Windows Vista 資料保護 原則定義與確保 Rights Management Services (RMS) 以使用者為基礎 的檔案加密 Encrypted File System (EFS) 以硬體為基礎 的磁碟加密 Full Volume Encryption (Bit. Locker)

Bit. Locker™ And TPM Features • Bit. Locker™ Drive Encryption (BDE) – 加密整個磁區 – 使用 TPM v 1. 2 來驗證 pre. OS 的元件 – 可自訂的保護與驗證方法 • Pre-OS 的保護 – USB startup key, PIN, and TPM 驗證 • 單一的 Microsoft TPM Driver – 改善穩定性與安全性 • TPM Base Services (TBS) – Enables third party applications • Active Directory備份 – 自動備份 key 到 AD – Group Policy 支援 • Scriptable 介面 – – – TPM 管理 Bit. Locker™管理 命令列 具程式

Bit. Locker™ Drive 加密架構 Static Root of Trust Measurement of boot components

磁碟內容結果與金鑰的儲存 OS Volume Contains • Encrypted OS • Encrypted Page File • Encrypted Temp Files • Encrypted Data • Encrypted Hibernation File Where’s the Encryption Key? 1. SRK (Storage Root Key) contained in TPM 2. SRK encrypts FVEK (Full Volume Encryption Key) protected by TPM/PIN/USB Storage Device 3. FVEK stored (encrypted by SRK) on hard drive in the OS Volume 3 OS Volume 2 FVEK System Volume Contains: MBR, Boot manager, Boot Utilities (Unencrypted, small) 1 SRK

您可以使用不同的組合 來提供不同等級的 安全性與使用方便性 TPM Only TPM + USB Only TPM + PIN “What it is + what you have” Protects Against: HW attacks “What it is + what you know” Protects Against: Many HW attacks User Must: Protect USB key User Must: Enter PIN to boot “What it is” Protects Against: Most SW attacks User Must: N/A No user impact Ease of Deployment / Maintenance 加密與使用等級

Bit. Locker™ Drive Encryption

建立 Bit. Locker™ 系統的需求 • Hard Disk – Bit. Locker™ 需要至少兩個分割區 • System partition (“Active”, NTFS, minimum 1. 5 GB) – OS must be installed on separate partition • OS and other partition(s) can be of any size • USB – System boot from USB 1. x and 2. x USB – USB read/write in pre-OS environment • FAT 16, FAT 32, or NTFS file system

For More Information… • Tech. Net – www. microsoft. com/taiwan/technet • Windows Vista – www. microsoft. com/taiwan/windowsvista • Windows Vista: Resources for IT Professional – www. microsoft. com/technet/windowsvista/default. ms px • IE Website – http: //www. microsoft. com/windows/ie/ • MVP Community社群網站 – www. microsoft. com/taiwan/community