Uh-oh, it looks like your Internet Explorer is out of date.
For a better shopping experience, please upgrade now.
An Inside Look at Windows Vista Security for Systems Administrators
Get an early start on Windows Vista security and the technology shifts you'll need to know as a systems administrator. From leading Windows expert Mark Minasi comes this "just-in-time" book to get you there. This targeted, hands-on guide takes a rapid-fire approach to the biggest security changes and how they'll affect business as usual for those who must integrate and provide technical support for Windows Vista. You'll find practical instruction, tips, workarounds, and much more.
• Work through a slew of Vista surprises, such as logging on as Administrator and how to re-enable Run
• Discover how virtualization worksand where it doesn't
• Find out why you can no longer delete files in System32, even though you are an Administrator
• Get familiar with new post-boot security features such as PatchGuard
• Protect laptops to the max with the innovative BitLocker feature
• Meet the new Windows Integrity mechanism
• Explore the revamped Event Viewer, event forwarding, and new troubleshooting tools
Go above and beyond what you've heard about Vista
Discover the changes to Share and Registry Access
Catch up on all the encryption news and services
Try out Vista Remote Desktop with its enhanced security
About the Series
The Mark Minasi Windows Administrator Library equips system administrators with in-depth technical solutions to the many challenges associated with administering Windows in an enterprise setting. Series editor Mark Minasi, a leading Windows expert, not only selects the topics and authors, he also develops each book to meet the specific needs and goals of systems administrators, MIS professionals, help-desk personnel, and corporate programmers.
About the Author
Mark Minasi, MCSE, is one of the world's leading Windows authorities. He teaches classes in 15 countries and is a much sought-after speaker at conferences and industry gathering keynotes. His firm, MR&D, has taught tens of thousands of people to design and run Windows networks. Mark has written over 15 books for Sybex, including the market-leading Mastering Windows Server 2003 and The Complete PC Upgrade and Maintenance Guide.
Byron Hynes works in the Windows Server User Assistance group at Microsoft. He has prior experience running a regional Internet backbone, troubleshooting client-server and Web-enabled applications, and designing network infrastructures and security models. Byron co-authored Hands-On Microsoft Windows Server 2003 Active Directory.
Table of Contents
Chapter 1 Administering Vista Security: The Little Surprises.
Restoring the Administrator.
Making Your Own Administrator.
Activating the Administrator Account.
Power Users Are Essentially Gone.
“Run…” Is Off the Start Menu.
BOOT.INI Is Gone, BCD Is Here.
Creating a Second OS Entry.
Understanding Vista Boot Manager Identifiers.
Choosing Timeout and Default OS with bcdedit.
Changing an Entry Option.
Cleaning Up: Deleting OS Entries.
“Documents and Settings” Is Gone, Kind Of.
IPv6 and Network Properties.
Remote Desktop Gets a Bit More Secure.
NTFS and the Registry Are Transaction Based.
Undelete Comes to Windows for Real!
Changes in Security Options.
Changes to Named Pipe Access.
Changes to Share and Registry Access.
LM Deemphasized, NTLMv2 Emphasized.
No More Unsigned Driver Warnings.
Vista Includes New Cryptographic Services.
You Can Encrypt Your Pagefile.
Offline Files Folders Are Encrypted per User.
New Event Viewer.
XML Format Comes to Event Viewer.
Custom Queries Lets You Customize Event Viewer.
Generating Actions from Events.
Telling the Event Log Service to Display Messages.
Forwarding Events from One Computer to Another.
Creating an Example Subscription.
Troubleshooting Subscription Delays.
Event Forwarding in Workgroups.
Chapter 2 Understanding User Account Control (UAC): “Are You Sure, Mr. Administrator?”
Why UAC Is Good, after All.
UAC Benefits for Users.
UAC Benefits for Admins.
UAC as a Transition Tool.
An Overview of UAC.
Digging Deeper into UAC.
How Windows Creates the Standard User Token.
How to Tell UAC to Use the Administrator Token.
What Tells Windows to Use the Administrator Token.
Reconfiguring User Account Control.
Turning UAC On, Off, or in Overdrive.
Configuring UAC Junior: UAC for the User.
Side Point: How “Administrator-ish” Must You Be to Get UACed?
Excluding the Built-in Administrator.
Telling UAC to Skip the Heuristics.
Controlling Secure Desktop.
Sign or Go Home: Requiring Signed Applications.
Working around Apps That Store Data in the Wrong Places.
The Big Switch: Turning Off UAC Altogether.
Will UAC Succeed?
Chapter 3 Help for Those Lame Apps: File and Registry Virtualization.
File and Registry Virtualization Basics.
Seeing File Virtualization in Action.
File and Registry Virtualization Considerations.
Which Areas Are Protected and Where They Are Virtualized.
How Virtualization Handles Files.
How Virtualization Handles the Registry.
What Does “Legacy” Mean, Exactly?
Seeing Virtualization in Standard Versus Administrative Users.
A Possible Virtualization Problem.
The Future of Virtualization.
4 Understanding Windows Integrity Control.
Windows Integrity Control Overview.
Mandatory Controls Versus Discretionary Controls.
The Orange Book.
C2 Certification and NT.
C and B: Discretionary Versus Mandatory.
WIC’s Six Integrity Levels.
How Objects Get and Store Integrity Levels: Mandatory Labels.
Process Integrity Levels.
Seeing Processes in Action.
Example: Starting a Low Integrity Application.
Internet Explorer Protected Mode and WIC.
A Prime Directive Puzzle: WIC and Deletes.
Using WIC ACEs to Restrict Access.
Things WIC ACEs Can’t Do.
You Cannot Apply Mandatory Labels with Group Policy.
You Cannot Create Standard Permissions That Name Mandatory Labels.
A Note on Modifying System Files.
Dialing Up Custom Labels.
Meet SDDL Strings.
Understanding the Secret Language of Bs: SDDL Label Syntax.
Using SDDL Strings to Set Integrity Levels.
Chapter 5 BitLocker: Solving the Laptop Security Problem.
The Laptop Security Problem Today.
BitLocker Drive Encryption—The Overview.
What Is a TPM?
Full Disk Encryption.
Authentication or Access Control.
Increasing Security with Additional Key Protectors.
Boot Process Validation (Integrity Check).
Enabling BitLocker for the First Time.
Using BitLocker without a TPM.
Summary of Key Protectors.
Recovery Example 1: Desktop Hardware Failure (Stand-alone System without a TPM).
Recovery Example 2: Laptop Hardware Failure (TPM-based).
Recovery Example 3: Lost USB Key (Computer with a TPM).
Recovery Example 4: “Found” Laptop.
BitLocker and Active Directory.
Group Policy Options.
Managing the TPM and BitLocker in the Enterprise.
Servicing a BitLocker-Protected Computer.
Planning for BitLocker Deployment.
Chapter 6 Post-Boot Protection: Code Integrity, New Code Signing Rules, and PatchGuard.
Address Space Layout Randomization.
Giving 64-bit More Armor.
What Can Go Wrong?
New Code Signing Rules.
What Is Code Signing and Why Does It Matter?
Protected Media Path Requirements.
Getting Down to Business: Code Signing an Application or Driver.
Getting Down to Business: Deploying an Application or Driver Signed by a Publisher.
Chapter 7 How Vista Secures Services.
Services in Brief.
Service Control Manager.
How Vista Toughens Services: Overview.
Reducing Service Privileges.
Developers Can Reduce Service Privileges.
Admins Can Also Reduce Service Privileges.
Special Case: Multiple Services Needing Different Privileges.
Reduced Privilege Summary.
How Service Isolation Works.
Restricting a Service’s SID.
Granting Write Permissions to a Service SID.
Understanding the sc.exe.
Restricted SID Commands.
Restricting a Service’s Network Ports.