298
Chapter 5

Configuring Windows Vista Security
Now in Exercise 5.2, you will set up a Custom security level in Internet Explorer.
Allow Webpages to Use Restricted Protocols for Active Content Disable
Drag and Drop or Copy and Paste Files Prompt
Include Local Directory Path When Uploading Files to a Server Disable
Installation of Desktop Items Disable
Launching Applications and Unsafe Files Disable
Launching Programs and Files in an IFRAME Disable
Open Files Based on Content, Not File Extension Disable
Software Channel Permissions High Safety

Submit Non-encrypted Form Data Prompt
Userdata Persistence Disable
Websites in Less Privileged Web Content Zone Can Navigate into This Zone Disable
Active Scripting Disable
Allow Programmatic Clipboard Access Disable
Scripting of Java Applets Disable
Logon Prompt for
User Name and
Password
EXERCISE 5.2
Customizing Internet Explorer’s Security Zones
1. Open Internet Explorer from your Windows Vista computer (Start  Internet Explorer).

2. Select Tools  Internet Options.
TABLE 5.6 High Settings That Are More Restrictive Than the Medium-High Security
Level (continued)
Setting Option
65348c05.fm Page 298 Monday, October 22, 2007 9:45 PM
Configuring Internet Explorer 7+
299
3. Click the Security tab, as shown here.
4. In the Select a Zone to View or Change Security Settings box, click Internet and then click
the Custom Level button.
5. From here, find the section called ActiveX Controls and Plug-ins. Find Allow Scriptlets
and click Prompt. Now find Download Unsigned ActiveX Controls and click Prompt.

Finally, find Initialize and Script ActiveX Controls Not Marked as Safe for Scripting and
click Prompt. Then click OK.
These settings can be useful if you need to run a custom script that is not yet signed and
exists outside of your intranet zone. For example, if you have a development team working
on some ActiveX controls, they may have a need to run ActiveX controls that normally
would be deemed suspicious. These customizations allow them to use these controls. Even
better, you could isolate these settings to the Trusted Sites zone and add the known web-
site to that zone. This would give you the flexibility to work with unsigned ActiveX content
but isolate which websites get the new set of rules. If the websites are internal to the com-
pany and inside the Intranet zone, you could make these changes to the Intranet zone.
When modifying zone settings to reduce security, you should try to use the proper zone to
isolate relaxed security rules to a narrow field of potential websites and limit your exposure

to threats.
6. Click Reset All Zones to Default Level. This will reset all of the changes you just made and
take the zone settings back to the defaults.
EXERCISE 5.2 (continued)
65348c05.fm Page 299 Monday, October 22, 2007 9:45 PM
300
Chapter 5

Configuring Windows Vista Security
Configuring User Account Control
Windows Vista introduces a new security feature, known as User Account Control (UAC).
UAC provides a new layer of security for gaining administrator privileges on a Windows Vista

machine. On the surface UAC is simple. All users run as standard users with reduced privileges
and any time an action requires administrator rights, UAC comes into play. Depending on the
settings and the user type, UAC will have different effects. If the user is an administrator, they
may just be prompted to approve the elevation of privileges, while standard users are
prompted for administrator credentials. We talked briefly about UAC in Chapter 2, including
the rights that standard and administrative users have in Windows Vista. In this section we
will look at the options you have for configuring UAC.
UAC is configured via Group Policy, either from a domain or from local Group Policy. To
view the UAC settings for a Windows Vista box, you must first launch the Local Security Policy
application by selecting Start  All Programs  Administrative Tools  Local Security Policy.
Once open, expand Local Policies and select Security Options. At the bottom of the list of pol-
icies you should now see nine UAC policies, all prefaced with User Account Control, as shown

in Figure 5.36.
The UAC settings are broken into two categories: seven of them are UAC settings that
can be enabled or disabled, and the other two represent the configuration options for UAC
prompts.
FIGURE 5.36 The Local Security Policy showing the policies for UAC
65348c05.fm Page 300 Monday, October 22, 2007 9:45 PM
Configuring User Account Control
301
Understanding UAC Settings
The settings are the most important policies that you will deal with as they turn features of
UAC on or off. These settings control how UAC works and what features will affect different
users. The UAC settings and a description of each follow:

User Account Control: Admin Approval Mode for the Built-in Administrator Account
This setting allows you to control whether the built-in administrator account will run in Admin
Approval mode. The default setting for this policy depends on how Windows Vista was installed
and the state of the local administrator account during install. For new installations, this policy
is disabled because the local administrator account is disabled as well. For upgrades, Windows
Vista will disable this policy and the local administrator account if there are other accounts with
administrator rights on the machine. If the local administrator account is the only administrator
account, then this policy will be enabled, requiring the local administrator account to run in
Admin Approval mode.
User Account Control: Detect Application Installations and Prompt for Elevation When
this policy is enabled, which it is by default, Windows Vista will detect an application install
and prompt for consent or credentials. When this policy is disabled, it will cause applications

installations to fail without error or with a nondeterministic error.
User Account Control: Only Elevate Executables That Are Signed and Validated This pol-
icy controls how applications are allowed to elevate their permissions. Just like users, appli-
cation can perform functions that require administrative rights. When this policy is enabled,
applications will need to have PKI signatures in order to elevate. By default this policy is dis-
abled and both signed and unsigned applications will be allowed to elevate.
User Account Control: Only Elevate UIAccess Applications That Are Installed in Secure
Locations When this option is enabled, Windows Vista will only give UIAccess privileges
and user rights to applications launched from Program Files or from the Windows directory.
Any UIAccess application launched from different directories will run without additional
privileges. Enabled is the default setting. When the option is disabled, the location check is
not done and UIAccess applications can run from any directory.

User Account Control: Run All Administrators in Admin Approval Mode This setting is
essentially the toggle switch for all of UAC. When it’s enabled, both standard users and admin-
istrators will be prompted when they attempt to perform an administrative action. When this
policy is disabled, UAC will not prompt when administrative tasks are performed. By default,
this setting, and hence UAC, are enabled.
User Account Control: Switch to the Secure Desktop When Prompting for Elevation This
policy controls whether UAC prompts are displayed in the secure desktop. Sounds pretty cool,
huh? This is just the setting that tells UAC to disable all other application activity and take
over the entire interface (which is the default). If you disable this setting, the UAC prompts will
be just like any other dialog box, and that means malicious code can “click” OK to approve
administrative action.
65348c05.fm Page 301 Monday, October 22, 2007 9:45 PM

302
Chapter 5

Configuring Windows Vista Security
User Account Control: Virtualize File and Registry Write Failures to Per-User Locations
This option is simple; it controls how Windows Vista will interact with older, non-UAC aware
applications. When the option is enabled, which is the default, attempts by an application to
write to the Program Files, Windows, or System32 directories or the HKLM\Software registry
key will be redirected to safe areas of the disk. This allows the older application to think it’s
working while preventing access to these critical sections of the system. When disabled, this
policy will cause the application to receive an error when such a write attempt is made.
Configuring UAC Prompts

The final two policies control the behavior of prompts for administrators in Admin Approval
mode and for standard users. The configuration of your environment and the level of security
you want to enforce dictate how you set these policies.
User Account Control: Behavior of the Elevation Prompt for Administrators in Admin
Approval Mode You have three options when configuring Admin Approval mode:

Prompt for Consent: The default option, administrators will be prompted for approval
when performing administrative tasks.

Elevate Without Prompting: This option essentially disables Admin Approval mode as
elevation will occur silently without a prompt.


Prompt for Credentials: This option will force administrators to enter their credentials
in order to perform the actions. This is the most secure option as a machine that is left
unattended could not cause much damage since the administrator must log in again to
perform the action.
User Account Control: Behavior of the Elevation Prompt for Standard Users This policy
controls the prompt for standard users. The options are simple:

Prompt for Credentials: The default option prompts the user for credentials. This
allows for over-the-shoulder credentials to be used in your environment.

Automatically Deny Elevate Requests: Users are denied access when attempting to per-
form and elevate action.

Troubleshooting User Account Control
Now we want to look at some common issues you may run into when running UAC on your
Windows Vista machines. Mostly, UAC settings are either on or off, and there isn’t a lot to it,
so most of your time troubleshooting UAC will be spent troubleshooting your users’ experi-
ence with UAC. Having a good understanding of each of the settings is the first step to fixing
UAC problems for your users. The next step is to understand how the settings can change the
experience the user is currently getting.
65348c05.fm Page 302 Monday, October 22, 2007 9:45 PM
Troubleshooting User Account Control
303
Troubleshooting Application Issues
When an application needs to run in a UAC environment, several components of UAC can

affect how those applications behave. In this section we will look at two things that can make
or break an application in a UAC environment: the Application Information service and File
and Registry Virtualization.
Application Information Service
A critical component of UAC is the Application Information service. This service facilitates
application elevation when the application needs to run with administrative privileges. If this
service is running and a properly designed application needs to be elevated within the con-
structs of UAC, the user will receive a UAC prompt and the elevation will be allowed, assum-
ing the user allows the elevation. The elevated credentials apply only to the application; once
the application is closed, the elevated session goes away. When the Application Information
service is not running, the application will attempt to run with the current user’s credentials
and will not generate a UAC prompt. Depending on the user’s credentials, the application

could fail silently or with nondeterministic errors. Any time you have apps failing to run that
require elevated rights or that run fine on another machine, check to ensure that the Applica-
tion Information service is running.
UAC Virtualization Issues
Older applications running on Windows Vista are likely not to be UAC aware. Many appli-
cations required administrative permissions to run as they wrote to system directories, such as
Program Files or Windows, or to the Windows registry. Many areas of Windows Vista have
been locked down to prevent system problems that can be caused by poorly written applica-
tions. This lockdown will prevent applications from writing to these protected folders and the
registry. Now we will explore what you need to do when older applications aren’t playing nice
in Windows Vista.
One of the policy settings for UAC is Virtualize File and Registry Write Failures to Per-User

Locations. If you find that an application is failing with an error, displaying a cryptic error mes-
sage, or specifically giving an error about not being able to access a file or the registry, you may
want to check this policy setting. When Virtualization is enabled, if an application attempts to
write to a protected location, the file or registry key they are trying to write is copied to the cur-
rent user profile location and the user can then modify it. Further calls to the same file or reg-
istry key are redirected to the user profile copy. This prevents the application from writing to
a protected area but the application is tricked into thinking the operation succeeded. If this pol-
icy setting is turned off, Virtualization will not work and your applications could fail.
Troubleshooting UAC Policy Settings
Users may experience prompts they are not expecting when working with UAC. Administrators
commonly complain that don’t like the requirement of confirming administrative tasks. If you
decide to turn off elevate prompts for your administrators, you need to know the ramifications

65348c05.fm Page 303 Monday, October 22, 2007 9:45 PM
304
Chapter 5

Configuring Windows Vista Security
of changing the UAC policies. There are several policies that you may be tempted to change
when attempting to remove prompts for your administrators. Let’s look at how each of these set-
tings affect the administrator’s prompts and which one is the most appropriate to use:
User Account Control: Admin Approval Mode for the Built-in Administrator Account
This setting controls the Admin Approval mode for the built-in administrator account. This
is the account, named Administrator, which exists on all Windows Vista machines. In many
cases this account will be disabled regardless of this policy’s setting. The best practice is to

avoid using this account unless there is a specific problem you are attempting to correct, so
your administrators shouldn’t be using it as a matter of course. Changing this policy will have
no effect on the prompts that your administrative users see when logged in with their accounts.
User Account Control: Run Administrators in Admin Approval Mode This setting controls
how administrative accounts run. When enabled, administrators will be in Admin Approval
mode and, by default, will receive prompts to confirm administrative actions. On the surface, it
would look as though this is the policy we should disable to prevent administrators from getting
UAC prompts. In reality, disabling this policy will effectively shut down UAC for all users, admin-
istrators, and standard users, and cause users to receive a warning that the overall security of the
operating system has been reduced. So, again, this is the wrong policy to accomplish our goal.
User Account Control: Behavior of the Elevation Prompt for Administrators in Admin
Approval Mode Finally, is the policy that affects the behavior of the elevation prompt for

users in Admin Approval mode? By default, the policy is set to Prompt for Consent, which will
require that administrators confirm administrative actions. Alternatively you can set this pol-
icy to Elevate Without Prompting. With this policy changed to Elevate Without Prompting,
administrators will not receive a prompt when performing administrative actions, but UAC
will remain on for standard users. This option is the only one we want to change to cause
administrators to stop getting prompts for elevates.
Most of the problems you encounter with UAC will be related to the settings of the UAC
policies. Be sure to check the settings to ensure that everything is configured in accordance
with your environment. The best weapon you have is to understand what each policy does and
to know the ramifications of changing their settings.
Configuring Windows Updates
Operating systems and applications will require security patches and updates over time. These

are often required because hackers found a weakness in a piece of code that would allow them
to exploit your system or a bug has been identified in an application and the vendor wants to
update before it causes any problems. Windows Vista comes with the new and improved Win-
dows Update applet. In previous versions of Windows, users would go to the Windows Update
website to obtain security patches and updates. Behind the scenes the process is much the same,
but in Windows Vista the Windows Update applet takes the guesswork out of the process.
To configure Windows Update, you first must open the application. The easiest way to do
so is by selecting Start  All Programs  Windows Update. This will launch the main screen,
shown in Figure 5.37.
65348c05.fm Page 304 Monday, October 22, 2007 9:45 PM
Troubleshooting User Account Control
305

FIGURE 5.37 The main screen of Windows Update
This screen gives you a status of the updates required by your system. The top section tells
you how many important and optional updates you need to install on this system. The bottom
section provides information about Windows Ultimate Extras. These extras are only available
if you are running Windows Vista Ultimate, and they provide things like new games or new
desktop themes. These updates are in no way required. Before you see this status, you may see
a message that says “Checking for updates” when you first load the applet; this indicates that
Windows Vista is communicating with Microsoft to find updates.
The four lines at the bottom of the screen let you quickly see how Windows Update is con-
figured. These tell you several important things that you can use for informational purposes
or during troubleshooting:
Most Recent Check for Updates This was the last time that Windows Update connected to

check for new updates.
Updates Were Installed This is the date and time that the last update was installed. You can
click the link View Update History to see a list of updates that have been applied to this system.
You Have Windows Set To This will give you the details on your automatic settings. We
will look at these shortly.
You Receive Updates This final line tells you what products are updates, for Windows and
other products, and where Windows Update looks to find its updates.
65348c05.fm Page 305 Monday, October 22, 2007 9:45 PM
306
Chapter 5

Configuring Windows Vista Security

Along the left side of the screen, you have access to the settings and features of Windows
Update. Let’s take a look at each of these options:
Check for Updates This will force Windows Update to connect to the server and look for
newly available updates.
Change Settings The Change Settings screen is broken down into three sections, as shown in
Figure 5.38.
The first section allows you to control how updates will be downloaded and applied. You
must choose one of four options:

Install Updates Automatically: This option allows Windows Vista to download and
install updates automatically without asking for permission. If you choose this option,
you must also pick a day and time for the download and install to occur.


Download Updates but Let Me Choose Whether to Install Them: Updates will be
downloaded automatically, but you need to tell Windows Vista to go through with
the installation every time updates have been downloaded.
FIGURE 5.38 The settings screen for Windows Update
65348c05.fm Page 306 Monday, October 22, 2007 9:45 PM
Troubleshooting User Account Control
307

Check for Updates but Let Me Choose Whether to Download and Install Them: Win-
dows Update will notify you when new updates are available, but you have to initiate
the download and installation.


Never Check for Updates: Windows Update will not check for updates at all. You will
need to manually run Windows Update and select Check for Updates in order to down-
load and install updates.
The second section lets you specify whether to include recommended updates. Selecting this
option will cause Windows Update to notify, download, and install recommended updates in
addition to critical updates. Clearing this option will cause you to receive only critical updates
automatically. The final option allows you to select whether to use Microsoft Update. Microsoft
Update is the subcomponent of Windows Update that allows updates for products besides Win-
dows Vista to be downloaded and installed.
View Update History This will show you all the updates that have been installed on the sys-
tem via Windows Update. This screen also provides you with a link to the Install Updates sec-

tion of the Programs and Features applet, where you can uninstall updates.
Restore Hidden Updates When you are presented with updates that you decide not to install,
such as optional language packs, you can opt to hide these updates. When updates are hidden,
you will not see anything about them in Windows Update. This option provides you with a list
of all the hidden updates; you can then unhide any that you want to install.
Updates: Frequently Asked Questions This provides a link to a help file of FAQs about Win-
dows Update.
Learn About Windows Ultimate Extras This link, only visible when you’re running Windows
Vista Ultimate Edition, takes you to a screen that provides more details on Ultimate Extras.
Manually Applying Security Patches and Updates
If there are optional updates that you want to install, you may find yourself in a situation
where you have to manually apply an update. To manually apply an update, first launch Win-

dows Update. If there are updates to install, you will see that on the main screen, as shown in
Figure 5.39.
Click View Available Updates, and you will be presented with a list of the updates available
for installation. Figure 5.40 shows the list of updates currently available for installation on the
system.
This list provides a few pieces of information to help you determine whether you want to
install the update. Right-clicking an update offers three options:
View Details This will open a small dialog box providing more information on what the
update is as well as links to more information on the Internet.
65348c05.fm Page 307 Monday, October 22, 2007 9:45 PM
308
Chapter 5


Configuring Windows Vista Security
FIGURE 5.39 Windows Update, showing two optional updates are available
FIGURE 5.40 The list of available updates via Windows Update
65348c05.fm Page 308 Monday, October 22, 2007 9:45 PM
Protecting Data
309
Copy Details This will copy the text of the details to the Clipboard so that it can be pasted
into another document.
Hide Update This will hide the update for the application. To install this update at a later
time, you will first need to unhide it from the Restore Hidden Updates screen.
Once you have reviewed the details, place a check mark next to the updates you want and

click Install. Windows Update will handle the rest; the update will be downloaded and
installed on your system.
Protecting Data
High-profile data theft continues to make headlines. From hacking computers to lost laptops,
users need to protect sensitive data on desktops and laptops the way an administrator might
protect servers, maybe even more so because these computers leave the protection of your
home more often. The files on the hard drive of a laptop may contain sensitive data that, if
compromised, could cause you to lose personal information that could expose you to identify
theft. Windows Vista introduces a much richer set of tools for managing and auditing access
to resources. Making sure that the proper people have access to sensitive files is a good first
step, but also taking measures to protect the information even if it’s lost has become a neces-
sity. In the following sections, you will take a look the technologies you can use to keep unau-

thorized users out and protect data even if a whole computer is lost or stolen.
Setting Up File-Level Security Using the Encrypted
File System
The Encrypted File System (EFS) enables encryption of files and folders to protect the data
from unauthorized access. This system is unlike some file encryption systems, because it is
transparent to normal use. There is no need to go through a process to decrypt or encrypt files;
it is all done behind the scenes once you have completed setup.
EFS is not new, but there are several new features that are gained when using EFS with Win-
dows Vista:

You can store user keys on a smart card. A smart card is a portable, tamper-resistant, inte-
grated circuit card that contains secure identification information.


You can also store recovery keys on smart cards, providing a recovery method without a
dedicated recovery station.

You can encrypt the page file using a system-generated key that is destroyed once this sys-
tem is shut down.

Support for more kinds of user certificates and keys is available.
65348c05.fm Page 309 Monday, October 22, 2007 9:45 PM
310
Chapter 5


Configuring Windows Vista Security
With any security comes more complexity. Even though EFS is relatively easy on the
user, you should make note of these considerations. Encryption does impact performance.
When a file is opened and closed, it has to be decrypted and encrypted again. Although this
performance impact is usually imperceptible, there can be certain circumstances where EFS
could affect performance for some disk-intensive operations. Encryption has the potential
to lock a user and the administrator out of the encrypted files. If they are mishandled or the
key is lost, the files run the danger of becoming “un-decryptable.” You also run the risk of
leaving sensitive information open if you haven’t applied EFS to all of the proper folders.
This can include the Desktop or temporary folder where applications store temporary ver-
sions of their files.
The Encrypted File System is based on certificates. Certificates are a digital document

that validates an identity. This certificate is issued by Windows Vista in conjunction with
an encryption key, which is the key used to encrypt and unencrypt files. As long as the cer-
tificate and keys are in place, the encryption process is transparent to the user. EFS is easy
to enable on any Windows Vista Business, Enterprise, or Ultimate edition. From the folder
or file that should be encrypted, right-click and choose Properties, and then on the General
tab click Advanced. In the Advanced Attributes dialog box, select the Encrypt Contents to
Secure Data check box, as shown in Figure 5.41. To permanently decrypt a file or folder,
just uncheck the same box.
The keys to allow access to encrypted files are stored by default on the system volume
on the hard drive. Windows Vista provides a method to also back up your EFS keys. This
is important because the loss of the system volume will lead to inaccessible encrypted files.
You use the Certificate Manager to back up your EFS certificate, as we show you in Exer-

cise 5.3.
FIGURE 5.41 EFS’s Advanced Attributes dialog box
65348c05.fm Page 310 Monday, October 22, 2007 9:45 PM
Protecting Data
311
EXERCISE 5.3
Backing Up the EFS Certificate
1. Click Start  Run, enter certmgr.msc, and click OK.
2. Find the Personal folder and expand it to see the Certificates folder. Highlight the Certif-
icates folder, as shown here.
3. Find the certificate or certificates that are listed as Encrypting File System or Allows Data
to Be Encrypted, and highlight all of these certificates.

4. Select Action  All Tasks  Export. Clicking Export will open the Certificate Export
Wizard.
5. From the Certificate Export Wizard, click Next and then select Yes, Export the Private Key.
Click Next.
6. The Export file Format screen allows you to select the format you want to export to. The
Personal Information Exchange PKCS #12 will back up the certificate as well as the pri-
vate keys used by EFS. It will also allow backup to another computer or removable media.
Select this option and click Next.
7. You are now required to password-protect the file. Type a strong password and click Next.
8. Now enter the location you want to save the file and click Finish.
65348c05.fm Page 311 Monday, October 22, 2007 9:45 PM
312

Chapter 5

Configuring Windows Vista Security
You should consider using removable media such as a USB flash drive when you back up
your certificates and keys. In the case of a hard drive crash, you can recover access to the files
when restored from backup. To restore the certificates and key, just go to Certificate Manager
and highlight the Personal folder. Select Action  All Tasks, and click Import. You can then
follow the wizard to import your certificates and keys. You can also create a recovery certif-
icate that is utilized when working with encrypted files from multiple users or when using a
smart card. You can create a recovery certificate by opening a command prompt, navigating
to the directory you want to save the recovery certificate file, and typing cipher /r:file
where file is a filename you choose. Again, saving the file to some sort of removable media

is recommended. To install the recovery certificate you open local security policy by selecting
Start  Run, typing secpol.msc, and clicking OK. Go to the Public Key Policies folder, right-
click the Encrypting File System folder, and select Add Data Recovery Agent. The Add Recov-
ery Agent Wizard will open and allow you to add the recovery certificate to the local machine.
After importing the recovery certificate, run gpupdate.exe from a command prompt to apply
the new certificate immediately.
New to Windows Vista is the ability to use a smart card to store a user’s encryption certif-
icates. It also allows you to store recovery keys. If you use smart cards for user logon already,
then EFS will use single sign-on mode and bypass the need to enter a PIN. To use a smart card
to store your encryption certificate, connect a smart card reader and insert the smart card.
Then open Control Panel and select User Accounts and Family Safety and then User Accounts.
Under Tasks, click Manage Your File Encryption Certificates. When the Encrypting File Sys-

tem wizard opens, click Next. Select Create New Certificate, select the type of certificate that
can be a certificate on your computer, on a smart card, or from a domain certificate authority,
and click Next. You will then be prompted to enter the smart card PIN. You can update your
encrypted files with this new certificate now or later.
Using BitLocker to Secure Entire Systems
EFS protects individual files with encryption, but what about protecting the entire system?
How do you protect the computer from physical access attacks such as loading another oper-
ating system, running a local brute-force attack, or locally loading malicious software such as
a key logger to steal passwords? These attacks can be run when an intruder has access to a
computer. Headlines about laptop thefts that contain sensitive data give administrators plenty
of justification to implement a solution that will protect a computer from physical data theft
and tampering.

BitLocker Drive Encryption, or just BitLocker, provides protection to the operating system
and the data stored on a computer by encrypting entire hard drive volumes and making them
inaccessible without passing through the correct processes. These boot processes check for tam-
pering and work in conjunction with specific hardware modules included with some computers
known as a Trusted Platform Module (TPM). A TPM is a microchip and BIOS combination
that conforms to a standard set by the Trusted Computing Group that holds cryptographic keys
and a random number generator as well as other security features that prevent tampering. Bit-
Locker is only available in Windows Vista Ultimate and Enterprise editions.
65348c05.fm Page 312 Monday, October 22, 2007 9:45 PM
Protecting Data
313
When considering BitLocker, you should take into account what scenario is appropriate.

Whereas EFS protects files for individual users on local and shared resources, BitLocker is
designed to protect the local system against offline threats. EFS will, for example, protect the
Documents folder but will not protect the entire system volume. BitLocker will protect the sys-
tem volume and not allow access by any programs run while Windows Vista is offline, but it
will not, for example, protect the Documents files between users on the local machine when
Windows Vista is in use. BitLocker is most appropriate for laptop protection and computers
that are not physically secure.
BitLocker is transparent to the user, but takes some forethought to set up properly. The
requirements to use BitLocker are as follows. You must choose between these two options:

A Trusted Platform Module (TPM) version 1.2 enabled and a TPM-compatible BIOS


A USB flash drive to store the encryption keys
You must also satisfy these requirements in all scenarios to use BitLocker:

The BIOS must be configured to boot from the hard drive first.

At least two NTFS disk partitions must be created before installing Windows Vista.

The system volume partition on the hard drive must be at least 1.5GB and must be set as
the active partition.
If you decide to use a USB flash drive to store the encryption keys, you will
need to have it inserted every time the computer is booted up. Unlike TPM,
where the keys are stored on the motherboard, a USB flash drive can be easily

misplaced or forgotten, causing avoidable support issues.
To enable BitLocker, you must first prepare the system. The BitLocker scheme uses an
unencrypted simple system volume to save the boot information. This 1.5GB partition must
be the first partition on the disk. When you set up a new computer with no operating system,
first create the 1.5GB primary partition. Then create the partition to be used for Windows
Vista. After Windows Vista is installed, you can initialize BitLocker encryption by going to
Control Panel, clicking Security, and then clicking BitLocker Drive Encryption. From the Bit-
Locker Drive Encryption page, you can turn on BitLocker and use the wizard to guide you
through the process. The wizard will have you initialize the TPM hardware (if it hasn’t been
done yet) and prompt you to save the recovery password. The recovery password is used when
BitLocker detects a change that may be a security risk and locks the drive. The recovery pass-
word will be required in order to unlock the drive. You will be given the option to save the

password on a USB drive, in a folder on a network drive, or in other location, or to print the
password. You will then be prompted to encrypt the selected volume and have an option to
run a BitLocker system check, which will reboot the computer, run a compatibility check, and
get ready for encryption. The system will then begin encrypting your Windows Vista system
partition, denoted by a BitLocker icon in the toolbar. Once completed, if there is any tamper-
ing to the system via the TPM or key system files or if the computer is started with another disk
to bypass Windows Vista, the computer will lock and switch to recovery mode, requiring the
recovery password to boot the system normally.
65348c05.fm Page 313 Monday, October 22, 2007 9:45 PM
314
Chapter 5


Configuring Windows Vista Security
Take care when setting your recovery password for BitLocker. Without this
password, if the computer goes into recovery mode you will not be able to
access any data on the encrypted system partition. You should keep this pass-
word in a safe place physically away from the computer. This password is
unique and cannot be used on any other BitLocker-encrypted system.
To use a USB flash drive instead of a TPM-enabled computer, you must modify the Group
Policy. From the Group Policy Object Editor select Local Computer Policy/Administrative
Templates/Windows Components/BitLocker Drive Encryption. Select Control Panel Setup:
Enable Advanced Startup Options and double-click. In the dialog box select Allow BitLocker
Without a Compatible TPM and click OK. Force the policy change by running gpupdate.exe
/force from a command prompt. Now run BitLocker Drive Encryption from Control Panel.

This time you will be prompted with the option Require Startup USB Key at Every Startup.
You’ll need to insert the USB flash drive and select the drive when prompted with the Save
Your Startup Key option. These are the only differences from a TPM-enabled BitLocker
encryption setup.
Summary
Windows Vista introduces many features to improve client security and increases administra-
tors’ confidence that they will see fewer problems from the desktop than in the past. At the
center of it all is Security Center, providing you one place to go to ensure that your system is
secure.
Using BitLocker at XYZ Financial
XYZ Financial Corporation is a firm that offers financial planning advice to customers all over
the country. Their financial consultants spend a lot of time traveling to customer sites. Several

years ago, two of the company’s laptops where stolen while two financial consultants were
traveling from Denver back to their home office in New York. Luckily, none of the personal
customer information seemed to be compromised.
Jim, the head of IT for XYZ Financial, was convinced that the only reason the data wasn’t com-
promised was because the thieves didn’t know to look for possible identity theft details. To
prevent possible future loses of customer data, Jim decided that all financial planners would
need to encrypt their drives with BitLocker. Using this solution with Windows Vista will pre-
vent data loss even if an entire machine is stolen.
65348c05.fm Page 314 Monday, October 22, 2007 9:45 PM
Exam Essentials
315
We also covered how you can use Parental Controls to not only control when the computer

can be used, but also how to control access to things on the computer. You learned how to
restrict web browsing, game playing, computer usage times, and application usage. We also
looked at how you can monitor usage to ensure your rules are being followed.
You also learned that Internet Explorer 7 includes several new features to improve the very
real threats from Internet browsing. The Pop-up Blocker now includes a preconfigured set of
filters and an exclusion list. The Microsoft Phishing Filter filters websites that aim to steal a
user’s personal information and identity. It uses a multilayered approach to check websites
against known good sites locally and from the Microsoft URL Reputation Service. Protected
Mode now protects the computer from scripts and programs that run from a browsing session.
It requires confirmation to allow interaction with the local system, preventing unknown pro-
grams from running without a user’s knowledge.
Windows Vista ships with UAC, which we also explored in this chapter. UAC provides

a new layer of security for performing administrative actions on Windows Vista machines.
Using UAC, you can prevent administrators from making mistakes and provide a mechanism
for standard users and applications to have their rights temporarily elevated.
We talked about Windows Update. Using Windows Update, you can ensure that the latest
updates and security patches have been applied, not only to Windows Vista but also to other
applications that you might have installed.
Encryption in Windows Vista takes two forms. Encrypted File System (EFS) can encrypt
individual files and folders to keep a user’s data secure from unauthorized access. New fea-
tures include storing user keys and recovery keys on a smart card and support for more cer-
tificates. BitLocker Drive Encryption will encrypt an entire system partition. Whereas EFS
protects individual files, BitLocker protects the entire system from physical kinds of attack.
Trusted Platform Module (TPM) hardware works in concert with BitLocker to prevent some-

one from tampering with a system to extract data. This is most useful on laptops to protect
sensitive data from theft. Security auditing gains better functionality through a few new audit
settings and many new subcategories.
Exam Essentials
Understand how to use Windows Security Center. Know how to turn your firewall on or
off and how to tell if you have a problem with your firewall. Understand how to diagnose an
issue with Windows Update. Understand how to get Security Center to work with your anti-
virus program.
Know how to configure Parental Controls. Know how to monitor and manage access to the
computer. Understand monitoring and managing access to Internet. Know how to monitor and
manage access specific applications. Know how to manage access to games via content and rat-
ings. Understand how to configure and use activity reports.

Know how to configure security in Internet Explorer 7. You should understand how to
configure the Pop-up Blocker. Understand what phishing is and how to use the Microsoft
65348c05.fm Page 315 Monday, October 22, 2007 9:45 PM
316
Chapter 5

Configuring Windows Vista Security
Phishing Filter. Know the steps taken by the Phishing Filter when a user requests a web page.
Understand how Protected Mode prevents access to the system. Know how to configure secu-
rity zones and how to add sites to the Trusted Sites and Restricted Sites zones.
Understand User Account Control. Know what UAC is and how it helps to secure Windows
Vista. Be familiar with the various settings and prompts that you will encounter in UAC.

Know where to go to change UAC settings. Be familiar with Admin Approval mode.
Know how to use Windows Update to apply security patches and updates. Understand
how to configure Windows Update. Know that Windows Update requires Internet access to
communicate and download updates. Know where to look to find available and installed
updates. Know how to manually install and uninstall updates.
Know how to protect data. Be familiar with the new features of EFS. Understand how you
can use a smart card to store keys. Understand why you would use BitLocker. Know how Bit-
Locker works with the Trusted Platform Module. Know the requirements in order to enable
BitLocker on a Windows Vista system.
65348c05.fm Page 316 Monday, October 22, 2007 9:45 PM
Review Questions
317

Review Questions
1. How can you check the certificate details of a secure website?
A. Click the lock icon next to the URL in Internet Explorer 7.
B. Click the Internet globe at the bottom of the Internet Explorer 7 window.
C. Enable TLS 1.0.
D. Select Tools  Internet Options, and select the Advanced tab.
2. After deploying Windows Vista to your organization, users report that there have been prob-
lems with spam e-mails linking users to phishing websites. You deployed Internet Explorer 7
with phishing enabled. What can you do to ensure the Phishing Filter is used?
A. Add the setting to a logon script.
B. Set the user’s home page to automatically use an intranet site.
C. Use a firewall to block the websites reported.

D. Set the Group Policy setting to Turn Off Managing Phishing Filter.
3. Bob reports that he has been getting more false reports of phishing websites than when he had
installed Windows Vista six months ago. What can you do to resolve the issue?
A. Turn on the Phishing Filter.
B. Turn on Automatic Website Checking.
C. Check the computer for a virus.
D. Use HTTPS at the beginning of the URL.
4. When you are working with Windows Vista, what types of accounts are you most likely to
encounter? (Choose all that apply.)
A. Power User
B. Standard User
C. Administrator

D. Server Operator
5. Which of the following directories cannot be configured for virtual writes upon failure
using UAC?
A. Windows
B. Windows\System32
C. Application Data
D. Program Files
65348c05.fm Page 317 Monday, October 22, 2007 9:45 PM
318
Chapter 5

Configuring Windows Vista Security

6. Which of the following are prompt options for administrators running in Admin Approval
mode? (Choose all that apply.)
A. Prompt for Consent
B. Request Domain Consent
C. Elevate Without Prompting
D. Prompt for Credentials
7. Which service must be running in order for UAC to properly elevate applications that require
administrative permissions?
A. User Access Control service
B. Application Elevation service
C. Background Intelligent Transfer service
D. Application Information service

8. After an upgrade, some of your applications are no longer working. In many cases they just
crash, but a few of the applications are giving errors about being unable to access files in the
C:\Windows directory. Which feature of UAC might correct your problems?
A. File and Registry Virtualization
B. Admin Approval mode
C. Configuring UAC to Elevate Without Prompting
D. System Directory Copy-on-Demand
9. Right-clicking an update provides three options. Which of the following is an option for
Windows Updates?
A. Select Details
B. Update Details
C. Copy Details

D. Hide Details
10. A developer calls you to report that she is receiving a certificate warning on a new website she
is developing. The web server does not yet have a certificate issued by a certificate authority.
What should the user do?
A. The user can continue to the site since it is known to be safe.
B. Have the user add the website to the Trusted Sites zone.
C. Have the user add the website to Favorites.
D. Have the user disable checking for revocation.
65348c05.fm Page 318 Monday, October 22, 2007 9:45 PM
Review Questions
319
11. You have a custom web application that requires access to c:\CustomApp. Currently, users

receive a prompt requesting access to the c:\CustomApp folder. The program runs internally
and is not a threat. What can you do to prevent the prompts?
A. Add the website to the Trusted Sites zone.
B. Add the website to the proxy exceptions list.
C. Disable User Account Control.
D. Move the c:\CustomApp folder to the user’s Temporary Internet Files folder.
12. Which of the following is not a security application that is monitored by Security Center?
A. Windows Firewall
B. Windows Defender
C. Norton Antivirus
D. Phishing Filter
13. BitLocker is best used in which of the following situations? (Choose all that apply.)

A. Prevent users on the Active Directory network from seeing files on the computer.
B. Protect against data theft from a stolen laptop.
C. Prevent a utility from booting from a CD and accessing the offline system files of the
operating system.
D. Enforce file-level encryption of a user’s Documents folder.
14. Which of the following are examples of malware? (Choose all that apply.)
A. Viruses
B. Worms
C. Spyware
D. Pop-ups
15. Using Windows Update, you can control how updates are downloaded and applied to
Windows Vista. Which of the following are valid options for Windows Update? (Choose

all that apply.)
A. Install Hidden Updates
B. Download Updates but Let Me Choose Whether to Install Them
C. Check for Recent Updates
D. Never Check for Updates
16. A user wants to use EFS to encrypt their Documents folder and back up the EFS certificate and
private keys to a USB flash drive. What should you use to initiate the backup process?
A. Use the Backup and Restore Center.
B. Copy the cert.msc file to the USB flash drive.
C. Run certmgr.exe and start the Certificate Export Wizard.
D. Right-click the Documents folder and select EFS Backup.
65348c05.fm Page 319 Monday, October 22, 2007 9:45 PM

320
Chapter 5

Configuring Windows Vista Security
17. Which of the following is a rating provided for software games? (Choose all that apply.)
A. Everyone
B. Everyone12+
C. Teen
D. Mature Only
18. When blocking access to websites with Parental Controls, which restriction level will block
content related to tobacco? (Choose all that apply.)
A. High

B. Medium
C. None
D. Custom
19. Which ESRB rating is the lowest that may contain minimal blood?
A. Mature
B. Teen
C. Everyone 10+
D. Adults Only
20. When configuring Parental Control restrictions for applications, what options do you have?
(Choose all that apply.)
A. Block all applications.
B. Allow all applications.

C. Block specific applications and allow the rest.
D. Allow specific applications and block the rest.
65348c05.fm Page 320 Monday, October 22, 2007 9:45 PM
Answers to Review Questions
321
Answers to Review Questions
1. A. Click the lock icon to get information on the certificate used by the secure website.
2. D. To configure mandatory use of the Phishing Filter, set the Group Policy setting to Turn Off
Managing Phishing Filter. This will prevent the user from changing the settings.
3. B. The Phishing Filter first checks a local file for legitimate websites. If Automatic Website
Checking is turned off, it will not utilize the Microsoft URL Reputation Service available on
the Internet. This list is updated frequently.

4. B, C. Standard User and Administrator are the two main types of user accounts in Windows Vista.
5. C. The Application Data folder, found in Windows 2000 and XP, cannot be configured for a
virtual redirect upon failure in Windows Vista.
6. A, C, D. All of these are valid prompt options for Admin Approval mode except for Request
Domain Consent, which isn’t an option for anything.
7. D. Without the Application Information service, UAC cannot elevate application credentials.
If this service is not running, the application will run under the security context of the user
without elevating and may fail.
8. A. File and Registry Virtualization will allow non-UAC-aware applications to think they still have
access to system directories and the registry. This allows these apps to run on Windows Vista.
9. C. The Copy Details option allows you to copy the details to the Clipboard so they can be
pasted into another document.

10. A. The user should continue on to the site, since the website is safe. Adding the website to the
Trusted Sites zone would still generate a certificate warning. Disabling checking for revocation
would not avoid the certificate warning since the CA is not trusted.
11. A. Websites in the Trusted Sites zone do not run in Protected Mode.
12. D. The Phishing Filter is a component of Internet Explorer, and while important for the secu-
rity of Windows Vista, is not monitored by Security Center.
13. A, C. BitLocker will encrypt the entire system volume, preventing data theft and hacking of the
offline operating system. Once booted, the system operates as normal.
14. A, B, C. Each of these is malware except for pop-ups ads, which while annoying, are generally
not detrimental to the system.
15. B, D. Download Updates but Let Me Choose Whether to Install Them and Never Check for
Updates are two of the options. Install Updates Automatically and Check Updates but Let Me

Choose Whether to Download and Install Them are the two options not listed.
16. C. Use certmgr.exe and run the Certificate Export Wizard (Action  All Tasks  Export) to
export the private key and certificate.
65348c05.fm Page 321 Monday, October 22, 2007 9:45 PM
322
Chapter 5

Configuring Windows Vista Security
17. A, C. Both Everyone and Teen are ratings given to computer games.
18. A, D. Only High and Custom will block access to sites about tobacco. Both Medium and None
will allow the user to access such sites.
19. B. Games with a Teen rating may contain minimal blood in parts of the game.

20. A, B, D. When setting up application restrictions, you could allow all apps (the default), block
all apps (by choosing Only Allow Apps I Pick and then not picking any apps), or you can allow
certain apps and the rest are blocked. You can’t block a specific application.
65348c05.fm Page 322 Monday, October 22, 2007 9:45 PM