Session 1: Security Enhancements in Windows Vista 13

• Applying a write-restricted access token to the service process. This access token can
be used in cases where the set of objects written to by the service is bounded and can
be configured. Write attempts to resources that do not explicitly grant the Service
SID access will fail.
• Controlling services by using network firewall policies, which prevents network
access outside the normal bounds of the service program. Service SIDs are linked
directly with the firewall policy.
14 Session 1: Security Enhancements in Windows Vista
Demonstration: Viewing Service Configuration

In this demonstration, you will see how you can:
• View the properties of the Dynamic Host Configuration Protocol (DHCP) Client
service.
• View the properties of the Workstation service.

Key Points
• Services in Windows Vista have been hardened to require lower privileges to reduce
the risk of a service being compromised.

Session 1: Security Enhancements in Windows Vista 15

What Is User Account Control?

User Account Control (UAC) is a new feature in Windows Vista that makes it easier for
users to run as standard users and perform all their necessary day-to-day tasks.
Administrative users also benefit from UAC because administrative privileges are
available only after UAC requests permission from the user for that instance.
Standard Users
In previous versions of Windows, many users were configured to use administrative

privileges rather than standard user permissions. This was done because previous
versions of Windows required administrator permissions to perform basic system tasks
such as adding a printer, or configuring the time zone. In Windows Vista, many of these
tasks no longer require administrative privileges.
When users have administrative permissions to their computers, they are able to install
additional software. Despite corporate policies against installing unauthorized software,
many users do install unauthorized software, which may make their systems less stable
and drive up support costs.
When UAC is enabled, and a user needs to perform a task that requires administrative
permissions, UAC prompts the user for the credentials of a user with administrative
privileges. In a corporate environment, the Help desk could give the user temporary
credentials that have local administrative privileges to complete the task.
16 Session 1: Security Enhancements in Windows Vista
Administrative Users
UAC allows users with administrative privileges to run as standard users most of the time.
When users with administrative privileges perform a task that requires administrative
privileges, UAC prompts the user for permission to complete the task. When the user
grants permission, the task in question is performed using full administrative rights, and
then the account reverts to a lower level of privilege.
Session 1: Security Enhancements in Windows Vista 17

How UAC Prevents Malware

Malware usually is installed by using the privileges of the user that is logged on at the
computer. When a user has standard user privileges rather than administrative privileges,
malware is less likely to be installed and will cause less damage if it does get installed.
Standard Users
If a standard user attempts to install a Trojan that contains malware, the user will not be
able to install it because a standard user does not have sufficient privileges to install
software. Because UAC allows users to perform most necessary tasks without

administrative privileges, users can be configured as standard users and still perform all
of their necessary tasks.
If malware is installed on a computer when a user logs on, the ability of the malware to
spread itself and access data is limited to the privileges of the user. If the user has only
standard user privileges, the impact of the malware is reduced when compared to running
as a user with administrative privileges.
Administrative Users
Malware can no longer silently install itself when administrative users are logged in. The
default permission level for administrative users is to run as a standard user. An
application can install only when an administrative user grants permission to elevate
privileges. In addition, any malware attempting to perform tasks requiring administrative
user privileges must be explicitly granted permission by the user.
18 Session 1: Security Enhancements in Windows Vista
UAC Administration

UAC can be configured by using the local security policy or Group Policy. In most
corporate environments, Group Policy is preferred because it can be centrally managed
and controlled.
The following options are available to configure UAC in the local security policy or a
Group Policy object:
• User Account Control: Admin Approval Mode for the Built-in Administrator Account.
This option requires the local Administrator account to approve the elevation of
privileges to administrative user. The default setting is on.
• User Account Control: Behavior of the elevation prompt for administrators in Admin
Approval Mode. This option allows you to disable UAC for administrators, prompt
for administrative credentials, or prompt for permission. The default configuration
prompts for consent when administrative privileges are required.
• User Account Control: Behavior of the elevation prompt for standard users. This
option allows you to configure the elevation prompt to ask for credentials or disable
the elevation prompt. If the elevation prompt is disabled, users must use Runas to

start the application with administrative privileges. The default configuration prompts
for credentials.
Session 1: Security Enhancements in Windows Vista 19

• User Account Control: Detect application installations and prompt for elevation.
This option is required for the proper installation of most legacy applications. When
enabled, UAC automatically detects application installations and prompts to elevate
privileges. The default setting is on.
• User Account Control: Only elevate executables that are signed and validated. This
option restricts privilege elevation to applications that are digitally signed. To allow
unsigned legacy applications, this option should be disabled. The default
configuration is disabled.
• User Account Control: Run all administrators in Admin Approval Mode. This option
requires all users with administrative privileges to approve privilege elevation for
processes. If this option is disabled, UAC is disabled for administrative users and
standard users. The default configuration is enabled.
• User Account Control: Switch to the secure desktop when prompting for elevation.
This option limits communication with the elevation prompt to Windows Vista
processes to prevent malware from approving elevation. The default setting is
enabled.
• User Account Control: Virtual file and registry write failures to per-user locations.
This option allows legacy applications that are not UAC compliant to run properly by
redirecting registry and file writes to the user profile. Redirection happens silently
and the user is unaware of the redirection. The default configuration is enabled.
20 Session 1: Security Enhancements in Windows Vista
Demonstration: Working with User Account Control

In this demonstration, you will see how you can:
• Use UAC as an administrator.
• Use UAC as a standard user.

• Disable UAC.

Key Points
• User Account Control allows users to run as standard users and elevate privileges
only when required.
Session 1: Security Enhancements in Windows Vista 21

What Is Windows Defender?

Spyware is software that is installed without your knowledge to monitor what you do
with your computer. Spyware can cause serious problems. For example, it can steal the
personal information you enter into Web sites, such as online banking sites. Less serious
but also troublesome, spyware can present pop-up ads when you visit other Web sites or
replace advertisements on legitimate Web sites.
Most spyware is not well-written software. As a consequence, spyware often causes
computers to stop responding or run slowly.
Windows Defender
Windows Defender is software that prevents your computer from being infected by
spyware and removes spyware that is already installed. Previous revisions of Windows
Defender were named Windows AntiSpyware.
Windows Defender is available for Microsoft Windows® XP and Windows 2000.
However, the version of Windows Defender for Windows Vista has the following
features not found in other versions:
• Scan changed files only
• Run under a security-enhanced account
• Scan files when they are run
• Scan files as they are downloaded in Internet Explorer 7
22 Session 1: Security Enhancements in Windows Vista
Definition Files
Windows Defender uses spyware definition files to identify spyware. The definition files

contain signatures that uniquely identify files that have been determined to be spyware.
When the spyware files are identified, they can be removed. This process is similar to the
way antivirus software works.
To help build the spyware definition files, Microsoft has created a voting network to
collect information about spyware. If you choose to participate in the voting network,
information about the programs you have blocked is transmitted to the voting network.
Microsoft analyzes the blocked programs from users in the voting network and then
determines whether a particular program needs to be added to the spyware definition files.
Like antivirus software, Windows Defender definition files need to be updated regularly
to be useful. The definition files are updated daily by default. There is not cost for the
definition file updates.
Session 1: Security Enhancements in Windows Vista 23

Windows Defender Scanning Modes

The scanning mode you select for Windows Defender determines how your computer is
scanned for spyware. You can use Real-Time Protection, perform on-demand scans, and
schedule scans.
Real-Time Protection is the first line of defense in spyware protection. When Real-Time
Protection is enabled, Windows Defender monitors critical checkpoints in Windows. If
the Real-Time Protection system detects a change in any checkpoint, you are alerted and
given the option to allow or block the change. Using Real-Time Protection prevents the
installation of spyware.
Both on-demand scans and scheduled scans look for spyware that is already installed on
your computer. They are both useful even when Real-Time Protection is enabled. For
example, a computer could be infected with unrecognized spyware on Monday. Later in
the week, the spyware definitions are updated to recognize the spyware, but Real-Time
Protection will not find it, because it only monitors changes. An on-demand or scheduled
scan will find the spyware after it is installed.
On-demand scans are used to quickly determine whether a computer has spyware

installed when a problem occurs. Scheduled scans are used as part of an overall
monitoring system to catch spyware that is missed by Real-Time Protection.
24 Session 1: Security Enhancements in Windows Vista
Demonstration: Configuring Windows Defender

In this demonstration, you will see how you can:
• Configure a scheduled scan.
• Configure Real-Time Protection.
• Run a manual scan.

Key Points
• Windows Defender removes spyware and prevents spyware installation.
Session 1: Security Enhancements in Windows Vista 25

Network Protection Features in Windows Vista

Introduction
Networks are the source of many security problems, from hackers to viruses. It is
impossible to know the nature of every possible network attack, as the types of attacks
are evolving all of the time. In this section, you will see how Windows Firewall and
Network Access Protection help prevent network attacks, even those that are new.
Objectives
After completing this section, you will be able to:
• Describe Windows Firewall.
• Explain the new features in Windows Firewall.
• Describe Network Access Protection.
• List and explain the NAP components.
• Describe potential NAP implementation scenarios.
26 Session 1: Security Enhancements in Windows Vista
What Is Windows Firewall?


A firewall helps keep your computer more secure by controlling network access to your
computer. Firewalls allow or deny network packets that try to pass through them. This
gives you a line of defense against people or programs that try to connect to your
computer without an invitation.
Windows Firewall is enabled by default in Windows Vista and monitors incoming
packets. To allow network communication for specific applications, such as network
games or instant messaging, where communication may be initiated by another computer,
you need to create an exception for that application. In most cases, Windows Firewall
prompts you to allow or deny the exception when you run the program.
Windows Firewall can:
• Help block viruses and worms by not allowing access to vulnerable services by
default.
• Ask your permission to block or unblock connection requests made by software.
• Create a security log that allows you to monitor which network packets have been
blocked and where they are coming from.
Session 1: Security Enhancements in Windows Vista 27

New Features in Windows Firewall

The firewall in Windows Vista is significantly enhanced over the firewall in
Windows XP Service Pack 2 (SP2). The Windows Firewall enhancements in Windows
Vista are:
• Filtering for outbound traffic.
• Firewall filtering and Internet Protocol security (IPsec) settings are combined.
• Rules (exceptions) can be configured for many new situations.

Filtering Support
The firewall in Windows XP SP2 supported only inbound filtering. This is the most
important type of filtering because it controls external users or software attempting to

access the computer.
The firewall in Windows Vista supports inbound filtering and outbound filtering. This
allows network administrators to block packets that originate on a workstation from
reaching the network. Outbound filtering can be used to block users from accessing
external services, such as an external e-mail server. Outbound filtering can also be used
to prevent viruses from replicating over the network if they are known to use a specific
port.
28 Session 1: Security Enhancements in Windows Vista
Integration with IPsec
IPsec is a set of Internet standards that provide cryptographic protection for IP traffic. In
Windows Server® 2003 and Windows XP, Windows Firewall and IPsec are configured
separately. Because both a host-based firewall and IPsec in Windows can block or allow
incoming traffic, it is possible to create overlapping or contradictory firewall rules and
IPsec rules. The new Windows Firewall has combined the configuration of both network
services using the same graphical user interface (GUI) and command-line commands.
Another benefit to the integration of firewall and IPsec settings is that configuration of
IPsec settings is simplified.
Additional Rule Configuration Options
The firewall in Windows XP is capable of simple exceptions for incoming traffic. The
firewall in Windows Vista allows you to create flexible rules that can be used in a wide
variety of situations.
New rule configuration options are:
• For IPsec communication, you can limit initiation to certain Active Directory groups
or users.
• Configuration of source and destination IP addresses, as well as predefined addresses
for Windows Internet Name Service (WINS) servers, DHCP servers, DNS servers,
default gateway, and local subnet.
• IP protocol numbers can also be used in rules instead of just TCP or User Datagram
Protocol (UDP) ports.
• Source and destination TCP and UDP ports can be selected.

• All or multiple ports can be selected for a rule.
• Rules can be configured for specific interface types such as wireless.
• Additional Internet Control Message Protocol (ICMP) packet types can be added to
the default configuration.
• Rules can be configured for services regardless of the port numbers the service uses.
Session 1: Security Enhancements in Windows Vista 29

Windows Firewall Configuration

The basic settings for Windows Firewall are available through the same interface as
Windows XP. Windows XP made Windows Firewall settings available through Control
Panel.
To configure the advanced features of Windows Firewall on a single computer, you can
use the Microsoft Management Console (MMC) with the Windows Firewall and
Advanced Security snap-in. This single snap-in allows you to configure firewall rules and
IPsec communication.
To apply configuration settings to many computers, you can use the command netsh in a
batch file. Firewall configuration is performed in the advfirewall context. This context is
specific to Windows Vista.
The easiest way to manage Windows Firewall for Windows Vista is by using Group
Policy. All of the firewall configuration options are available by using Group Policy.
Computers running previous versions of Windows will ignore the Group Policy firewall
settings.
30 Session 1: Security Enhancements in Windows Vista
Demonstration: Configuring Windows Firewall

In this demonstration, you will see how you can:
• Use the basic interface for Windows Firewall.
• Use the Windows Firewall with Advanced Security snap-in.
• Test a new rule.

• Configure Windows Firewall by using Group Policy.

Key Points
• Windows Firewall can now block outgoing packets.
• Windows Firewall can be managed by using a new snap-in for the MMC.
• Windows Firewall can be managed by using Group Policy.

Session 1: Security Enhancements in Windows Vista 31

What Is Network Access Protection?

Network Access Protection (NAP) is a policy enforcement platform built into the
Microsoft Windows Vista and Windows Server Code Name “Longhorn” operating
systems that allows you to better protect network assets by enforcing compliance with
system health requirements. With NAP, you can create customized health policies to
validate computer health before allowing access or communication, automatically update
compliant computers to ensure ongoing compliance, and optionally confine noncompliant
computers to a restricted network (previously known as quarantine) until they become
compliant.
Health requirement policies can include, but are not limited to:
• software update levels
• antivirus signatures
• specific configuration settings
• open and closed ports
• firewall settings

32 Session 1: Security Enhancements in Windows Vista
When a client attempts to access the network, it must present its system health state. If a
client cannot prove it is compliant with system health policy (for example, that it has the
latest operating system and antivirus updates installed), its access to the network will be

limited to a restricted network segment containing server resources so compliancy issues
can be remedied. After the updates are installed, the client requests access to the network
again. If compliant, the client is granted unlimited access, subject to any other security
restrictions in place.