Session 1: Security Enhancements in Windows Vista 33

What Are the NAP Components?

Network Policy Server (NPS) is the main component in NAP and is a component of
Windows Server “Longhorn”. NPS serves as a central point where health policies can be
checked. NPS also coordinates Active Directory queries required for health policy checks.
Internet Authentication Service (IAS), found in previous versions of Windows Server,
has been replaced with NPS.
Each type of NAP enforcement requires an enforcement client (EC) on the network node
to negotiate health compliance. Each EC is specific to the type of NAP enforcement. For
example, DHCP enforcement requires a DHCP NAP EC. The required ECs are part of
Windows Vista and may also be released for Windows XP SP2.
IPsec Enforcement
IPsec enforcement limits communication on your network to computers that are
compliant with health policy requirements. This is the strongest form of NAP
enforcement.
A health certificate server and an IPsec NAP EC are required for IPsec enforcement. The
health certificate server issues X.509 certificates to clients when they are determined to
be compliant with the health policy requirements. These certificates are then used to
authenticate NAP clients when they initiate IPsec-secured communications with other
NAP clients on the network.
34 Session 1: Security Enhancements in Windows Vista
802.1X Enforcement
802.1X enforcement comprises an NPS server and an EAPHost NAP EC component.
Using 802.1X enforcement, an NPS server instructs an 802.1X access point (an Ethernet
switch or a wireless access point) to place a restricted access profile on the 802.1X client
until it performs a set of remediation functions. A restricted access profile can consist of a
set of IP packet filters or a virtual LAN (VLAN) identifier to confine the traffic of an
802.1X client. 802.1X enforcement provides strong limited network access for all
computers accessing the network through an 802.1X connection.

VPN Enforcement
Virtual private network (VPN) enforcement comprises a VPN NAP Enforcement Server
(ES) component and a VPN NAP EC component. Using VPN enforcement, VPN servers
can enforce health policy requirements any time a computer attempts to make a VPN
connection to the network. VPN enforcement provides strongly limited network access
for all computers accessing the network through a VPN connection.
DHCP Enforcement
DHCP enforcement comprises a DHCP NAP ES component and a DHCP NAP EC
component. Using DHCP enforcement, DHCP servers can enforce health policy
requirements any time a computer attempts to lease or renew an IP address configuration
on the network. DHCP enforcement is the easiest enforcement to deploy because all
DHCP client computers must lease IP addresses. However DHCP enforcement relies on
entries in the IP routing table, so it is the weakest form of limited network access in NAP.
Session 1: Security Enhancements in Windows Vista 35

What Are the NAP Implementation Scenarios?

NAP is a flexible solution for enforcing health requirements on network computers
before allowing access. Some of the scenarios where NAP can be used are:
• Monitor the health of roaming portable computers. While portable computers are
away from the corporate network, they might not receive the most recent software
updates or configuration changes. In addition, portable computers may be infected
with viruses when they are exposed to unprotected networks such as the Internet.
You can use NAP to verify portable computer health each time a portable computer
connects to the corporate network either remotely through a VPN connection or
locally.
• Ensure the health of desktop computers. Desktop computers that do not have the
most recent updates are at a higher risk of virus infection from Web sites, e-mail, and
files in shared folders. You can use NAP to verify that desktop computers have the
most recent updates before allowing them to connect to the network.

• Determine the health of visiting portable computers. Organizations frequently need to
allow consultants and guests access to their private networks. The portable computers
that these visitors bring might not meet network requirements and can present health
risks. You can use NAP to limit visiting portable computers to a restricted network.
36 Session 1: Security Enhancements in Windows Vista
• Verify the health of unmanaged home computers. Unmanaged home computers
provide an additional challenge to network administrators because they do not have
physical access to these computers. Lack of physical access makes enforcing
compliance with network requirements (such as the use of antivirus software) more
difficult. Verifying the health of these computers is similarly challenging. You can
use NAP to check for required programs, registry settings, or files before allowing
home computers to access the network by using a VPN connection.
Session 1: Security Enhancements in Windows Vista 37

Internet Explorer 7 Security Enhancements

Introduction
Applications that communicate on the Internet are particularly vulnerable to security
flaws because they are exposed to a wide variety of data from unprotected networks. If
any flaw is found in an Internet-facing application, hackers can quickly exploit it. Internet
Explorer 7 includes many improvements to make Web browsing more secure.
Objectives
After completing this section, you will be able to:
• Describe the threats to Internet Explorer.
• Understand Internet Explorer Zones.
• Describe how Protected Mode reduces security vulnerabilities.
• Describe how Internet Explorer 7 blocks pop-up windows.
• Understand the Phishing Filter.
38 Session 1: Security Enhancements in Windows Vista
What Are the Threats to Internet Explorer?


Internet Explorer and other Web browsers are exposed to more security threats than most
software because they are used to retrieve information directly from the Internet. Hackers
can create Web sites that exploit known vulnerabilities. Just visiting a Web site that takes
advantage of a vulnerability can cause malware to be installed or change system settings.
In rare cases, there are unknown vulnerabilities that are discovered and used by hackers
for a period of time before they become well known.
Most Internet Explorer vulnerabilities are a result of scripts being included as part of the
Web page. Many Web pages include JavaScript or VBScript to create dynamic Web page
elements. However, if the scripting engine in Internet Explorer does not handle certain
coding properly, a hacker may be able to run arbitrary code on the workstation or perform
other tasks.
Other Internet Explorer vulnerabilities are the result of specially crafted image files or
Web page content that confuse the components that are supposed to render them. When
the image file or Web page content is rendered incorrectly, malware can be installed.
The best way to reduce Internet Explorer vulnerabilities is by applying updates when they
are available. Updates are used to eliminate known vulnerabilities.
Session 1: Security Enhancements in Windows Vista 39

What Are Internet Explorer Zones?

Internet Explorer provides a wide variety of security options that you can configure.
These security options define the rules for how to handle content such as Microsoft
ActiveX® controls or scripting in Web pages.
Internet Explorer zones let you configure different security options for categories of Web
sites. Each zone is a category of Web sites.
The Internet Explorer zones are:
• Internet. All Web sites not specifically included in another zone are part of the
Internet zone. The default security level for this zone is Medium-high, which is
suitable for viewing most Web site content.

• Local intranet. For Windows Vista computers joined to a domain, the Local intranet
zone includes all computers that are part of the domain. For Windows Vista
computers that are not joined to a domain, the Local intranet zone is not used. The
default security level for this zone is Medium-low to allow intranet applications that
require advanced scripting options and ActiveX controls to function properly.
• Trusted sites. You must specifically add sites to the Trusted sites zone. No sites are in
the Trusted sites zone by default. You can use the Trusted sites zone for partner Web
sites that need to run advanced scripting and ActiveX controls to run properly. The
default security level for this zone is Medium.
40 Session 1: Security Enhancements in Windows Vista
• Restricted sites. You must specifically add sites to the Restricted sites zone. No sites
are in the Restricted sites zone by default. You can use the Restricted sites zone for
Web sites that you are concerned might be dangerous, or just to stop scripting on
Web pages that you find annoying. The security level for this zone is High and
cannot be lowered except by using custom settings.
Session 1: Security Enhancements in Windows Vista 41

What Is Protected Mode?

Protected Mode is a new feature in Internet Explorer 7 that reduces the impact of
vulnerabilities that have not been corrected. When Protected Mode is in use for an
Internet Explorer zone, Internet Explorer runs as a low integrity process. As a low
integrity process, Internet Explorer can only modify low integrity resources, which is a
very limited area.
Integrity levels are a new feature in Windows Vista that are added to the access control
list (ACL) of objects. Traditionally, objects such as files and registry keys contained only
user and group permissions in the ACL. Integrity levels have been added as an additional
security mechanism to control which processes are able to access resources.
Low Integrity Processes
Low integrity processes can only write to folders, files, and registry keys that have been

assigned a low integrity mandatory label. As a result, Internet Explorer and extensions
run in Protected Mode can only write to low integrity locations, such as the new low
integrity temporary Internet files folder, the History folder, the Cookies folder, the
Favorites folder and the Windows temporary file folders. Any resources not specifically
assigned an integrity level are considered medium integrity level.
Furthermore, the Protected Mode process will run with a low desktop integrity level
when Windows Vista ships, which will prevent it from sending specific window
messages to higher integrity processes.
42 Session 1: Security Enhancements in Windows Vista
By preventing unauthorized access to sensitive areas of a user's system, Protected Mode
limits the amount of damage that can be caused by a compromised Internet Explorer
process. An attacker cannot, for example, silently install a keystroke logger to the user's
Startup folder. Likewise, a compromised process cannot manipulate applications on the
desktop through window messages.
Backward Compatibility
Some Web applications require backward compatibility because they assume that they
have greater privileges than a low integrity process. To accommodate the need for
backward compatibility, Internet Explorer can employ redirection or elevate privileges.
Redirection takes access attempts such as writing files and registry keys in medium
integrity locations and redirects them to low integrity locations. Privilege elevation asks
for a user’s consent before elevating to access resources outside of the low integrity
locations.
Session 1: Security Enhancements in Windows Vista 43

Demonstration: Configuring Protected Mode

In this demonstration, you will see how you can:
• Enable Protected Mode for all zones.
• Configure customized security settings.


Key Points
• Internet Explorer categorizes Web sites into zones.
• Each zone has independent security settings.
• Internet Explorer 7 has a new Protected Mode which defaults to run Internet Explorer
as a low privilege process.
44 Session 1: Security Enhancements in Windows Vista
How Internet Explorer 7 Prevents Pop-Up Windows

Internet Explorer 7 includes a Pop-up Blocker to stop most pop-up windows. A pop-up
window is a small Web browser window that appears on top of the Web site you are
viewing. Pop-up windows often open as soon as you visit a Web site and are usually used
for advertising.
When a pop-up window is blocked, the message “Pop-up blocked. To see this pop-up or
additional options click here” appears in the information bar. When you click on the
information bar you can allow the pop-up window one time or permanently from that
Web site.
The default configuration of Pop-up Blocker does not stop pop-up windows that are
triggered when you click on a link. This allows many online applications to work
properly. However, you may be required to add an exception for online applications such
as banking.
Session 1: Security Enhancements in Windows Vista 45

You can configure the filtering level for Pop-up Blocker as:
• High: Block all pop-ups. This setting blocks all pop-up windows, including those that
are created by clicking a link.
• Medium: Block most automatic pop-ups. This setting blocks most pop-up windows,
but allows pop-up windows that are triggered when you click a link.
• Low: Allow pop-ups from secure sites. This setting automatically allows pop-up
windows for sites accessed with the HTTPS protocol. Non-HTTPS sites are treated
the same as when the Medium setting is selected.

Pop-up windows are not blocked for sites in the Local intranet or Trusted sites
zones.
46 Session 1: Security Enhancements in Windows Vista
Demonstration: Configuring the Pop-up Blocker

In this demonstration, you will see how you can:
• Test Pop-up Blocker default settings.
• Configure Pop-up Blocker settings.

Key Points
• The Pop-up Blocker prevents most Web page pop-up windows.
• You can configure how sensitive the Pop-up Blocker is.
Session 1: Security Enhancements in Windows Vista 47

What Is the Phishing Filter?

The Phishing Filter is a new feature in Internet Explorer 7 that helps detect phishing Web
sites. A phishing Web site is designed to look like a legitimate Web site that collects
personal information or logon information, such as an online banking site. However, the
phishing site collects information for criminals to steal money or perform identity theft.
Most phishing attempts start with an e-mail message asking users to click a link and
verify their information or log on.
Detecting Phishing Sites
The Phishing Filter performs three tasks to detect phishing sites:
• The Web site addresses you visit are compared to a list of known legitimate Web
sites to ensure legitimate sites are not blocked.
• The Web sites you visit are analyzed to see if they have the characteristics of a
phishing Web site.
• The Web site addresses you visit are compared to a list of known phishing Web sites.


If the site you are visiting is on the list of reported phishing Web sites, a warning page is
displayed. From the warning page, you can select to continue to the Web site or close the
page. If the Web site you are visiting contains characteristics common to a phishing Web
site, but is not on the list of known phishing Web sites, a warning is displayed in the
information bar.
48 Session 1: Security Enhancements in Windows Vista
Reporting Phishing Sites
Within the Phishing Filter menu, users can report a potential phishing site. Microsoft
verifies phishing sites before they are added to the list of known phishing sites. However,
if your Web site is incorrectly listed as a phishing site, you can also report the incorrect
listing to Microsoft for removal.
Session 1: Security Enhancements in Windows Vista 49

Demonstration: Configuring the Phishing Filter

In this demonstration, you will see how you can:
• Configure the Phishing Filter.

Key Points
• The Phishing Filter prevents malicious Web sites from impersonating legitimate Web
sites and stealing your personal information.
50 Session 1: Security Enhancements in Windows Vista
Data Protection Features

Introduction
Traditionally, it has been difficult to protect data that moves outside of the enterprise. As
soon as a portable computer has been stolen or a file sent via e-mail, the corporate
information technology department no longer has control over who can access the data or
what it can be used for. BitLocker Drive Encryption protects the data on portable
computers outside the enterprise. Rights management controls the use of data that is

distributed outside the enterprise.
Objectives
After completing this section, you will be able to:
• Describe the risks to data.
• Understand BitLocker Drive Encryption.
• List the BitLocker requirements.
• Understand the differences between BitLocker and Encrypting File System.
• Describe rights management.
• Understand how rights management works.

Session 1: Security Enhancements in Windows Vista 51

What Are Some of the Risks to Data on Mobile Computers?

In a corporate environment, it is important that data is available only to authorized users.
More stringent regulations and privacy laws make it even more important for data to be
protected.
On a local area network, data is well protected from unauthorized access by storing it on
a network server and configuring permissions. The permissions control which users have
access to the data and which users do not. In addition, physical access to file servers can
be secured.
Data stored on portable computers is particularly vulnerable because portable computers
are often lost or stolen. After a portable computer is lost or stolen, the data can be
accessed in a number of ways:
• Move the hard drive to an alternate computer. When the hard drive from one
Windows computer is placed in another Windows computer, the Administrator
account is automatically given access to all files.
• Boot an alternate operating system. Data on a Windows hard drive can be accessed
by using Linux on a floppy disk or USB drive to boot the portable computer and load
an NTFS driver. The NTFS driver does not respect the NTFS permissions in the file

system and the thief has full access to the data.
• Reset user passwords. A number of utilities exist that allow you to reset local user
passwords on a Windows workstation if you can boot from a floppy disk or other
removable storage.
52 Session 1: Security Enhancements in Windows Vista
• Modify system components. If the system can be started from a floppy disk or other
removable storage, replacement files for Windows components can be placed on the
hard drive. These replacement files can be low level components that allow thieves to
access data encrypted by using the Encrypting File System (EFS).

Data stored on computers in an office is better protected than portable computers because
physical access to the computers is limited. However, when computers are disposed of,
most data is easily recoverable even after reformatting disks or removing the partitions. A
number of free utilities allow you to scan disks for deleted data.