CHAP TER 4
Security
For some users, problems begin before they even log on. Authentication, the process of
identifying users and validating their credentials, can be very complex in a Windows 7
environment. Although home users might never run into problems typing their user names
and passwords, in Active Directory Directory Services (AD DS) environments, users authenticate
to domain controllers and other servers on the network. In addition, authentication can use
smart cards or biometrics as well as passwords. User Account Control (UAC) adds another layer
of complexity because a user might use multiple sets of credentials within a single session.
In recent years, more and more security compromises are initiated when users visit
a Web site. For example, Web sites might trick the user into providing confidential
information, or they might exploit a vulnerability in the browser to run code without the
user’s explicit permission. In Windows 7, Windows Internet Explorer 8.0 includes several
features to reduce this risk.
Though network attacks are the most widespread, the increase in mobile users has led
to an increase in physical data theft. If someone steals a computer, he or she can bypass all
your security controls except encryption. Windows 7 provides two ways to encrypt the files
on your computer: Encrypting File System (EFS), which encrypts individual files and folders
on a per-user basis, and BitLocker, which encrypts entire volumes.
This chapter describes how to configure and troubleshoot authentication, Internet
Explorer, EFS, and BitLocker.
Exam objectives in this chapter:
■ Identify and resolve logon issues.
■ Identify and resolve Windows Internet Explorer security issues.
■ Identify and resolve encryption issues.
Lessons in this chapter:
■ Lesson 1: Authenticating Users 132
■ Lesson 2: Configuring and Troubleshooting Internet Explorer Security 147
■ Lesson 3: Using Encryption to Control Access to Data 167
Before You Begin
To complete the lessons in this chapter, you should be familiar with Windows 7 and be
comfortable with the following tasks:
■ Installing Windows 7
■ Connecting a computer physically to a network
■ Performing basic administration tasks on a Windows Server 2008 R2–based domain
controller
REAL WORLD
Tony Northrup
To businesses, security is a math problem: if a countermeasure reduces risk by
more than it costs, then they use it.
consider the risk of an attacker stealing a mobile computer and misusing
confidential files. I’m making very rough estimates, but a mobile computer might
have a 2 percent chance of being stolen in a given year. Out of those laptops,
perhaps 10 percent of thieves find and abuse confidential information. Therefore,
there is a 0.2 percent chance of confidential data being abused annually per laptop.
However, the cost can be significant. To a big business, such a compromise could
cost millions—so let’s estimate that a single compromise would cost $10 million.
If the business has 100 computers with confidential data on them, the total risk is
$2 million annually.
If the risk is $2 million annually, you wouldn’t want to spend more than that to
mitigate it. Windows 7 includes BitLocker Drive Encryption to mitigate the risk of
a stolen computer. However, it’s not effective if a user is currently logged in, if the
attacker also steals the universal serial bus (USB) flash drive, or if the attacker can
guess the user’s personal identification number (PIN). For the sake of this example,
let’s assume that properly training users, automatically locking computers that are
not in use, and requiring BitLocker Drive Encryption with either a USB flash drive
or a PIN as a startup key is 80 percent effective at mitigating the risk of stolen
computers.
By reducing the $2 million dollar risk by 80 percent, you’ve just saved the fictional
company $1.6 million annually. You’ve incurred some cost, though. IT needs to
upgrade computers with confidential data to Windows 7, upgrade hardware where
necessary, and spend time training users. Let’s estimate that this will cost $3,000
per user up front. If the computer stays in service for three years, the cost is $1,000
per user annually, or $100,000 total—reducing the annual savings from $1.6 million
to $1.5 million. BitLocker has ongoing costs, too, especially if you require a startup
key, because some users will forget their USB flash drive or PIN and be locked out of
their computers, losing productivity and incurring a call to IT. These costs get very
difficult to estimate, but if 10 percent of the 100 users with confidential data have
a problem in one year, and the lost productivity and support call cost $500 per user,
then the cost is $5,000 per year.
Given those estimates of risk and cost, BitLocker is a very worthwhile to this fictional
company. Not all security features are worthwhile, though. The next time you’re
troubleshooting a security problem, think about whether the time you’re spending
troubleshooting the problem and the productivity that users are losing are worth
the benefits of the security feature. For more information, read the Security Risk
Lesson 1: Authenticating Users
Before a user can log on to a computer running Windows 7, connect to a shared folder,
or browse a protected Web site, the resource must validate the user’s identity using a
process known as authentication. Windows 7 supports a variety of authentication techniques,
including the traditional user name and password, smart cards, and third-party authentication
components. In addition, Windows 7 can authenticate users with the local user database or
an AD DS domain.
This lesson provides a basic background in authentication technologies and then describes
how to audit logons and troubleshoot authentication problems.
After this lesson, you will be able to:
■ Describe authentication and list common authentication techniques.
■ Add user names and passwords manually to Credential Manager to enable
automatic authentication to network resources.
■ Troubleshoot authentication issues.
Estimated lesson time: 25 minutes
What Is Authentication?
Authentication is the process of identifying a user. In home environments, authentication is
often as simple as clicking a user name at the Windows 7 logon screen. However, in enterprise
environments, almost all authentication requests require users to provide both a user name
(to identify themselves) and a password (to prove that they really are the user they claim to be).
Windows 7 also supports authentication using a smart card. The smart card, which is
about the size of a credit card, contains a chip with a certificate that uniquely identifies the
user. So long as a user doesn’t give the smart card to someone else, inserting the smart
card into a computer sufficiently proves the user’s identity. Typically, users also need to type
a password or PIN to prove that they aren’t using someone else’s smart card. When you
combine two forms of authentication (such as both typing a password and providing a smart
card), it’s called multifactor authentication. Multifactor authentication is much more secure
than single-factor authentication.
Biometrics is another popular form of authentication. Although a password proves your
identity by testing “something you know” and a smart card tests “something you have,”
biometrics test “something you are” by examining a unique feature of your physiology. Today
the most common biometric authentication mechanisms are fingerprint readers (now built
into many mobile computers) and retinal scanners.
NOTE BIOMETRICS
Biometrics are the most secure and reliable authentication method because you cannot
lose or forget your authentication. However, it’s also the least commonly used. Reliable
biometric readers are too expensive for many organizations, and some users dislike
biometric readers because they feel the devices violate their privacy.
How to Use Credential Manager
Credential Manager is a single-sign on feature, originally for Windows Server 2003 and
Windows XP, that enables users to input user names and passwords for multiple network
resources and applications. When different resources require authentication, Windows can
then automatically provide the credentials without requiring the user to type them.
In Windows Vista and Windows 7, Credential Manager can roam stored user names and
passwords between multiple Windows computers in an AD DS domain. Windows stores
credentials in the user’s AD DS user object. This enables users to store credentials once and
use them from any logon session within the AD DS domain. For example, if you connect to
a password-protected Web server and you select the Remember My Password check box,
Internet Explorer will be able to retrieve your saved password later, even if you log on to
a different computer running Windows Vista or Windows 7.
Users can take advantage of Credential Manager without even being aware of it. For
example, each time a user connects to a shared folder or printer and selects the Reconnect
At Logon check box, Windows automatically stores that user’s credentials within Credential
Manager. Similarly, if a user authenticates to a Web site that requires authentication and
selects the Remember My Password check box in the Internet Explorer authentication dialog
box, Internet Explorer stores the user name and password in Credential Manager.
NOTE CREDENTIAL ROAMING
For detailed information about credential roaming, read “Configuring and Troubleshooting
Certificate Services Client-Credential Roaming” at http://www.microsoft.com/technet/
security/guidance/cryptographyetc/client-credential-roaming/implementationdifferences.
mspx.
Windows automatically adds credentials used to connect to shared folders to the
Credential Manager. However, you might want to add a user name and password manually
so that Windows can provide those credentials automatically for a group of computers in
a different domain. To add a user name and password manually to Credential Manager,
follow these steps:
1. Click Start, and then click Control Panel.
2. Click the User Accounts link twice.
3. In the left pane, click the Manage Your Credentials link.
The Credentials Manager window appears, as shown in Figure 4-1.
FIGURE 4-1 Using Credential Manager to authenticate automatically to resources that
require credentials other than those you use to log on
4. Click Add A Windows Credential. Note that you can also add certificate-based
credentials and generic credentials.
5. In the Internet Or Network Address box, type the server name. You can use an
asterisk (*) as a wildcard. For example, to use the credential for all resources in the
contoso.com domain, you could type *.contoso.com.
6. In the User Name and Password boxes, type your user credentials. Click OK.
NOTE WEB SITES THAT CREDENTIAL MANAGER CAN AUTHENTICATE
TO AUTOMATICALLY
The only Web sites that Credential Manager can authenticate to automatically are those
that use Hypertext Transfer Protocol (HTTP) authentication. When visiting the site, the
Web browser opens a dialog box to prompt for credentials. Credential Manager cannot
remember your user name and password for Web sites that use a Hypertext Markup
Language (HTML) form of authentication (such as those that have a logon page), which is
much more common. Credential Manager can also remember .NET Passport credentials.
You can also backup and restore credentials manually in Credential Manager.
How to Troubleshoot Authentication Issues
Sometimes, users might experience problems authenticating to resources that have more
complex causes than mistyping a password or leaving the Caps Lock key on. The sections that
follow describe troubleshooting techniques that can help you better isolate authentication
problems.
UAC Compatibility Problems
Users often confuse authentication and authorization issues. This isn’t a surprise
because both types of problems can show the exact same error message:
“Access is denied.” Because UAC limits the user’s privileges and many applications
we’re not designed to work with UAC, security errors are bound to be even more
frequent in Windows Vista and Windows 7 than they were in Windows XP.
Most UAC-related problems are authorization-related, not authentication-related.
If the user doesn’t receive a UAC prompt at all but still receives a security error,
it’s definitely an authorization problem. If the user receives a UAC prompt and the
user’s credentials are accepted (or if the user logs on as an administrator and only
needs to click Continue), it’s definitely an authorization problem. UAC problems are
authentication-related only if UAC prompts a user for credentials and rejects the
user’s password.
Identifying Logon Restrictions
Often, authentication problems occur because administrators have configured logon
restrictions to enforce the organization’s security requirements. Logon restrictions include
locking accounts after several incorrect attempts at typing a password, allowing users to log
on only during specific hours, requiring users to change their passwords regularly, disabling
accounts, and accounts that expire on a specific date. The sections that follow describe each
of these types of logon restrictions.
NOTE DETERMINING LOGON CONTEXT
Users can authenticate to the local user database or an AD DS domain. Logon restrictions
defin defined for the domain only apply to domain accounts, and vice versa. Therefore, when
examining logon restrictions for users, you must determine their logon context.
The quickest way to do this is to open a command prompt and run the command set
to display all environment variables. Then, look for the USERDOMAIN line. If the user
logged on with a local user account, this will be the computer name (shown on the
COMPUTERNAME line). If the user logged on with an AD DS user account, this will be the
name of the domain. You can also check the LOGONSERVER line to determine whether
a domain controller or the local computer authenticated the user.
ACCOUNT LOCKOUT
If a user provides incorrect credentials several times in a row (for example, if an attacker is
attempting to guess a user’s password, or if a user repeatedly mistypes a password), Windows
can block all authentication attempts for a specific amount of time.
Account lockout settings are defined by Group Policy settings in the Computer
Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policies\
node as follows:
■ The number of incorrect attempts is defined by the Account Lockout Threshold setting.
■ The time that the number of attempts must occur within is defined by the Reset
Account Lockout Counter After policy.
■ The time that the account is locked out is defined by the Account Lockout Duration
policy.
Use the Resultant Set Of Policy tool (Rsop.msc) to identify a computer’s effective Group
Policy settings. To use the Resultant Set Of Policy tool, follow these steps:
1. Click Start, type rsop.msc, and press Enter.
2. In the Resultant Set Of Policy window, within the Computer Configuration\Windows
Settings\Security Settings\Account Policies\Account Lockout Policies\ node.
3. The Details pane shows only the account lockout policy settings that have been
defined, and which Group Policy object defined them.
If a user receives an error message indicating that her account is locked out, or she cannot
log in even if she thinks she has typed her password correctly, you should validate the user’s
identity and then unlock the user’s account. To unlock a user’s account, view the user’s
Properties dialog box, and clear the Account Is Locked Out check box (for local Windows 7
user accounts) or the Unlock Account check box (for Windows Server 2008 R2 AD DS
accounts), as shown in Figure 4-2. Then, click Apply.
You can identify locked out accounts by examining logon audit failures in the domain
controller’s Security event log with Event ID 4625.
LOGON HOUR RESTRICTIONS
Administrators can also use the Account tab of an AD DS user’s properties to restrict logon
hours. This is useful when administrators do not want a user to log on outside his normal
working hours.
If a user attempts to log on outside his allowed hours, Windows 7 displays the error
message “Your account has time restrictions that prevent you from logging on at this time.
Please try again later.” The only way to resolve this problem is to adjust the user’s logon hours
by clicking the Logon Hours button on the Account tab of the user’s Properties dialog box.
Figure 4-3 shows a user who is allowed to log on between the hours of 10 and 6, Monday
through Friday.
FIGURE 4-2 Windows Server 2008 R2 changes the label
of the Unlock Account check box if an account is locked out.
FIGURE 4-3 Logon hours restrict users from logging on during specific
times of the day during the week.
PASSWORD EXPIRATION
Most security experts agree that users should be required to change their passwords
regularly. Changing user passwords accomplishes two things:
■ If attackers are attempting to guess a password, it forces them to restart their efforts. If
users never change their passwords, attackers would be able to guess them eventually.
■ If an attacker has guessed a user’s password, changing the password prevents the
attacker from using these credentials in the future.
Password expiration settings are defined by Group Policy settings in the Computer
Configuration\Windows Settings\Security Settings\Account Policies\Password Policy node as
follows:
■ The time before a password expires is defined by the Maximum Password Age policy.
■ The number of different passwords that users must have before they can reuse
a password is defined by the Enforce Password History policy.
■ The time before users can change their password again is defined by the Minimum
Password Age policy. When combined with the Enforce Password History policy, this
can prevent users from changing their password back to a previous password.
If users attempt to log on interactively to a computer and their password has expired,
Windows prompts them to change their password automatically. If users attempt to access
a shared folder, printer, Web site, or other resource using an expired password, they will
simply be denied access. Therefore, if a user calls and complains that she cannot connect
to a resource, you should verify that the user’s password has not expired. You can prevent
specific accounts from expiring by selecting the Password Never Expires check box on the
Account tab of the user’s Properties dialog box.
DISABLED ACCOUNT
Administrators can disable user accounts to prevent a user from logging on. This is useful if
a user is going on vacation and you know she won’t be logging on for a period of time, or if
a user’s account is compromised and IT needs the user to contact them before logging on.
To enable a user’s disabled account, clear the Account Is Disabled check box in the user’s
Properties dialog box.
ACCOUNT EXPIRATION
In AD DS domains, accounts can be configured to expire. This is useful for users who will be
working with an organization for only a limited amount of time. For example, if a contract
employee has a two-week contract, domain administrators might set an account expiration
date of two weeks in the future.
To resolve an expired account, edit the account’s properties, select the Account tab, and
set the Account Expires value to a date in the future. If the account should never expire, you
can set the value to Never.
How to Use Auditing to Troubleshoot Authentication Problems
By default, Windows 7 does not add an event to the event log when a user provides incorrect
credentials (such as when a user mistypes a password). Therefore, when troubleshooting
authentication problems, your first step should be to enable auditing for logon events so that
you can gather more information about the credentials the user provided and the resource
being accessed.
Windows 7 (and earlier versions of Windows) provides two separate authentication
auditing policies:
■ Audit Logon Events This policy audits authentication attempts for local resources,
such as a user logging on locally, elevating privileges using a UAC prompt, or
connecting over the network (including connecting using Remote Desktop or
connecting to a shared folder). All authentication attempts will be audited, regardless
of whether the authentication attempt uses a domain account or a local user account.
■ Audit Account Logon Events This policy audits domain authentications. No matter
which computer the user authenticates to, these events appear only on the domain
controller that handled the authentication request. Typically, you do not need to
enable auditing of account logon events when troubleshooting authentication issues
on computers running Windows 7. However, successful auditing of these events is
enabled for domain controllers by default.
To log failed authentication attempts, you must enable auditing by following these steps:
1. Click Start and then click Control Panel. Click System And Security. Click Administrative
Tools, and then double-click Local Security Policy.
2. In the Local Security Policy console, expand Local Policies, and then select Audit Policy.
3. In the right pane, double-click Audit Logon Events.
4. In the Audit Logon Events Properties dialog box, select the Failure check box to add an
event to the Security event log each time a user provides invalid credentials. If you also
want to log successful authentication attempts (which include authentication attempts
from services and other nonuser entities), select the Success check box.
5. Click OK.
6. Restart your computer to apply the changes.
With auditing enabled, you can view audit events in Event Viewer by following these steps:
1. Click Start, right-click Computer, and then click Manage.
2. Expand System Tools, Event Viewer, Windows Logs, and then select Security.
Event Viewer displays all security events. To view only successful logons, click the
Filter Current Log link in the Actions pane and show only Event ID 4624. To view only
unsuccessful logon attempts, click the Filter Current Log link and show only Event
ID 4625.
Figure 4-4 shows an example of a logon audit failure that occurred when the user
provided invalid credentials at a UAC prompt. Notice that the Caller Process Name (listed
under Process Information) is Consent.exe, the UAC process.
FIGURE 4-4 A logon audit failure caused by invalid credentials
Audits from failed authentication attempts from across the network resemble the
following code. In particular, the Account Name, Account Domain, Workstation Name,
and Source Network Address are useful for identifying the origin computer.
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: baduser
Account Domain: NWTRADERS
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: CONTOSO-DC
Source Network Address: 192.168.1.212
Source Port: 4953
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
When you are authenticating to network resources, authentication failures are always
logged on the server, not on the client. For example, if you attempt to connect to a shared
folder and you mistype the password, the event won’t appear in your local event log—it
appears instead in the event log of the computer sharing the folder.
NOTE DON’T TRUST THE REPORTED COMPUTER NAME
The computer sending the authentication attempt communicates its own workstation
name. Therefore, if the attack is malicious, the workstation name might be intentionally
invalid. The Internet Protocol (IP) address should always be correct, however.
Quick Check
1. Which auditing type should you enable to audit local logon events?
2. Which event log should you examine to find audited events?
Quick Check Answers
1. Audit Logon Events
2. Security
How to Troubleshoot Network Authentication Issues
To improve network security, network administrators often require 802.1X authentication
before allowing client computers to connect to either wireless or wired networks. 802.1X
authentication works at the network infrastructure layer to provide full network access only
to computers that are able to authenticate. For example, on most wireless networks, client
computers must be configured with a network security key or a certificate to connect to
the wireless access point. On wired networks, network switches that support 802.1X allow
a newly connected computer to access only a limited number of servers until the computer is
authenticated.
Network authentication can be a problem if Group Policy settings are used to distribute
the certificates required for network authentication because the client computer must first
connect to the network to retrieve the certificate. To work around this requirement for
802.1X-protected wireless networks, connect client computers to a wired network long
enough to update Group Policy settings.
If your organization requires authentication for wired networks (a less common
requirement than requiring wireless authentication), work with the domain administrators
to identify a procedure for temporarily connecting to the network when wired 802.1X
authentication fails. This process might involve connecting the computer across a virtual
private network (VPN), manually importing the client certificate on the client computer, or
using a smart card to authenticate to the network.
How to Troubleshoot an Untrusted Certification Authority
Certificates, such as those issued by an enterprise Certification authority (CA), are often used
for authentication. Windows 7 can store certificates locally to authenticate a user or the
computer itself, and users can carry certificates with them on smart cards. Typically, domain
administrators should manage certificates and settings should be propagated to client
computers using Group Policy settings. However, if you receive an error informing you that
the CA that issued a certificate is not trusted, you can view existing CAs and then import the
CA’s certificate to configure Windows to trust any certificates issued by the CA.
To view trusted CAs, follow these steps:
1. Click Start, type mmc, and then press Enter to open a blank Microsoft Management
Console (MMC). Respond to the UAC prompt if it appears.
2. Click File, and then click Add/Remove Snap-in.
3. Select Certificates and click Add.
4. If prompted, select My User Account, and then click Finish.
5. Click OK to close the Add Or Remove Snap-Ins dialog box.
6. Expand Certificates – Current User, expand Trusted Root Certification Authorities, and
then select Certificates.
The middle pane shows a list of trusted CAs. By default, this includes more than
10 default public CAs. In addition, it should include any internal CAs used by your
organization. If your organization has an enterprise CA and it does not appear on this
list, contact the domain administrator for assistance because the CA trust should be
configured by using Group Policy.
Alternatively, you can trust a CA manually by following these steps from within the
Certificates snap-in:
1. Below Trusted Root Certification Authorities, right-click Certificates, click All Tasks, and
then click Import.
The Certificate Import Wizard appears.
2. On the Welcome To The Certificate Import Wizard page, click Next.
3. On the File To Import page, click Browse. Select your CA certificate (which can be
provided by the CA administrator or exported from a computer that trusts the CA),
and then click Next.
4. On the Certificate Store page, accept the default certificate store (Trusted Root
Certification Authorities) and then click Next.
5. On the Completing The Certificate Import Wizard page, click Finish.
6. If prompted with a security warning, click Yes.
7. Click OK to Confirm that the import was successful.
Now your user account will trust any certificates issued by the CA.
How to Troubleshoot Untrusted Computer Accounts
Computers have accounts in AD DS domains, just like users have accounts. Typically, computer
accounts (also known as machine accounts) do not require ongoing management because
Windows and the domain controller automatically create a password and authenticate the
computer at startup.
However, computer accounts can become untrusted, which means the computer’s security
identifier (SID) or password are different from those stored in the AD DS. This occurs when
either of the following occurs:
■ Multiple computers have the same SID. This can happen when a computer is deployed
by copying the hard disk image and the Sysprep deployment tool is not used to reset
the SID.
■ The computer account is corrupted in the AD DS.
You cannot reset the password on a computer account as you can the password of a user
account. If a computer account becomes untrusted, the easiest way to solve the problem is to
rejoin the computer to the domain by following these steps:
1. On the untrusted computer, click Start. Right-click Computer, and then click Properties.
The System window appears.
2. In the Computer Name, Domain, And Workgroup Settings group, click Change
Settings. The System Properties dialog box appears.
3. Click Change. The Computer Name/Domain Changes dialog box appears.
4. Click Workgroup, and then click OK. This removes the computer from the domain.
Restart the computer when prompted.
5. In the Active Directory Users And Computers tool on a domain controller, right-click
the computer account and then click Reset Account.
6. On the untrusted computer, repeat steps 2–4 to open the Computer Name/Domain
Changes dialog box. Then, click Domain, and type the name of your domain. Provide
domain administrator credentials to add the computer to the domain, and restart the
computer when prompted.
Alternatively, you can use the Netdom command-line tool on a computer running
Windows Server 2008 R2 to reset a computer account password. For earlier server versions of
Windows, Netdom was included in the Support\Tools folder on the Windows DVD. For more
information about Netdom, run netdom /? at a command prompt. Netdom is not included
with Windows 7, however.
PRACTICE Save Credentials for Future Use
In this practice, you use Credential Manager to store credentials, enabling you to authenticate
to a remote computer automatically.
EXERCISE Use Credential Manager
In this exercise, you use Credential Manager to save credentials for future use.
1. Log on to a computer running Windows 7. Create a new user account with the user
name MyLocalUser and assign a password. This account will not exist on any network
computers. Therefore, when connecting to remote computers, the user will always
need to provide alternate credentials.
2. On a remote computer, create a shared folder. Make note of the server and share name.
3. Log on as MyLocalUser.
4. Click Start, and then click Computer. Then, click Map Network Drive.
5. In the Map Network Drive dialog box, type \\server\share to attempt to connect to
the share you created in step 2. Click Finish.
6. When the Connect To Server dialog box appears, click Cancel twice.
This dialog box appeared because your current account did not have privileges on the
remote server and you had not entered credentials in Credential Manager.
NOTE CONFIGURE THE CREDENTIALS FOR THIS PRACTICE MANUALLY
For the purpose of this practice, you should configure the credentials manually using
Credential Manager. However, a much easier way to accomplish the same thing is
to complete the User Name and Password fields and then select the Remember
My Password check box. This causes Windows Explorer to store the credentials
automatically.
7. Click Start, and then click Control Panel.
8. Click the User Accounts link twice.
9. In the left pane, click the Manage Your Credentials link.
Credential Manager appears.
10. Click Add A Windows Credential.
11. In the Internet Or Network Address, type the name of the server that you attempted
to connect to in step 5.
12. In the User Name and Password boxes, type your administrative credentials to the
remote server.
13. Click OK.
14. Click Start, and then click Computer. Then, click Map Network Drive.
15. In the Map Network Drive dialog box, type \\server\share to attempt to connect to
the same share you specified in step 5. Clear the Reconnect At Logon check box, and
then click Finish.
Windows Explorer automatically connects to the shared folder without prompting
you for credentials. Instead of requiring you to type the user name and password,
it retrieved them from Credential Manager.
Lesson Summary
■ Authentication is the process of identifying a user and proving the user’s identity.
■ Credential Manager stores user credentials to provide automatic authentication during
future attempts to access a resource. You can add credentials manually using the
Stored User Names And Passwords tool in Control Panel.
■ When troubleshooting user authentication issues, you should enable failure logon
auditing, reproduce the authentication problem, and then examine the Security
event log for details of the authentication failure. When troubleshooting network
authentication issues, verify that Group Policy settings have been updated and work
with network administrators to resolve the problem. When troubleshooting a problem
with an untrusted CA, import the CA’s certificate into the list of trusted root CAs.
Lesson Review
You can use the following questions to test your knowledge of the information in Lesson 1,
“Authenticating Users.” The questions are also available on the companion CD if you prefer to
review them in electronic form.
NOTE ANSWERS
Answers to these questions and explanations of why each answer choice is right or wrong
are located in the “Answers” section at the end of the book.
1. Which of the following might support automatic authentication using Credential Manager?
(Choose all that apply.)
A. Connecting to a shared folder
B. Connecting to a shared printer
C. Authenticating to a Web site that uses an HTML form
D. Authenticating to a Web site that prompts for user credentials using a dialog box
2. Which of the following types of auditing would you enable to track when a user
mistypes his user name and password when logging on to a domain member
computer running Windows 7 using a local user account?
A. Audit Logon Events, Success
B. Audit Logon Events, Failure
C. Audit Account Logon Events, Success
D. Audit Account Logon Events, Failure
3. Which of the following events would be logged in the local event log if you enabled
auditing for successful and failed logon attempts? (Choose all that apply.)
A. Logging on locally to a computer running Windows 7
B. Typing a user name and password at a remote Web site
C. Connecting to a remote shared folder
D. Elevating privileges at a UAC prompt
Lesson 2: Configuring and Troubleshooting
Internet Explorer Security
In recent years, more and more security compromises are initiated when users visit a Web
site. For example, Web sites might trick the user into providing confidential information,
or they might exploit a vulnerability in the browser to run code without the user’s explicit
permission.
In Windows 7, Windows Internet Explorer 8.0 is configured by default to minimize security
risks. As a result, many add-ons will not run by default and Internet Explorer runs with
minimal privileges. As an administrator, you must understand these restrictions and know
how to work around them to enable Web applications to run correctly when they require the
restricted features. In addition, you must understand how to troubleshoot common problems
with Web browsing, including using certificates and identifying Group Policy restrictions.
After this lesson, you will be able to:
■ Configure add-ons in Internet Explorer (including ActiveX controls)
and troubleshoot problems related to add-ons.
■ Add sites to the Trusted Sites list.
■ Describe and configure Protected Mode.
■ Resolve problems related to Secure Sockets Layer (SSL) certificates.
■ Identify Group Policy restrictions.
Estimated lesson time: 40 minutes
Internet Explorer Add-Ons
Add-ons extend Internet Explorer capabilities to enable Web sites to provide much richer,
more interactive content. For example, the following are commonly used add-ons:
■ Shockwave Flash An add-on that enables complex animations, games, and other
interactive capabilities
■ Windows Media Player An add-on that enables Web pages to integrate audio and
video
■ Microsoft Virtual Server VMRC Control An add-on that enables users to remotely
control a remote virtual machine from within Internet Explorer
The sections that follow describe how to configure add-ons and troubleshoot problems
related to add-ons.
How to Enable and Disable Add-Ons
After starting Internet Explorer, you can disable or delete add-ons by following these steps:
1. Click the Tools button on the toolbar, and then click Manage Add-Ons.
The Manage Add-Ons dialog box appears, as shown in Figure 4-5.
FIGURE 4-5 The Manage Add-Ons dialog box
2. In the Manage Add-Ons dialog box, select an add-on, and then click Disable to
prevent the add-on from automatically loading. If the add-on is an ActiveX control,
you can click Delete to permanently remove it.
If an add-on is causing serious enough problems that you can’t start Internet Explorer, you
can disable the add-on without opening Internet Explorer by following these steps:
1. Click Start, and then click Control Panel.
2. Click the Network And Internet link.
3. Under Internet Options, click the Manage Browser Add-Ons link.
The Internet Properties dialog box appears.
4. Click Manage Add-Ons.
5. In the Manage Add-Ons dialog box, select an add-on, and then click Disable to
prevent the add-on from automatically loading.
How to Start Internet Explorer without Add-Ons
A buggy or malicious add-on can cause problems with starting Internet Explorer. To work
around this problem and launch Internet Explorer without add-ons, follow these steps:
1. Click Start. Then, click All Programs, Accessories, and System Tools.
2. Click Internet Explorer (No Add-Ons).
Internet Explorer starts with all add-ons disabled. If a Web page opens a new window
when you click a link, that new window also has add-ons disabled. Add-ons will be
enabled automatically the next time you start Internet Explorer using the standard
shortcut.
Alternatively, you can start Internet Explorer manually using the -extoff parameter by
clicking Start, typing iexplore -extoff, and pressing Enter.
How to Configure Add-Ons in AD DS Domain Environments
As with earlier versions of Internet Explorer, you can use the Group Policy settings in User
Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\
Security Features\Add-on Management to enable or disable specific add-ons throughout
your organization. Typically, you need to use two settings in this group to block all
unapproved add-ons in your organization:
■ Add-On List Enable this setting, and then specify the approved add-ons in your
organization. To specify an add-on, provide the class identifier (CLSID) for the add-on
you need to add as the Value Name in the Add-On List. The CLSID should be in
brackets, such as “{BDB57FF2-79B9-4205-9444-F5FE85F37312}.” You can find the
CLSID for an add-on by reading the <object> tag from the HTML of a Web page that
references the add-on. To specify that the add-on should be denied, specify a value
of 0. To allow an add-on, specify a value of 1. To both allow an add-on and permit
users to manage the add-on, specify a value of 2.
■ Deny All Add-Ons Unless Specifically Allowed In The Add-On List After specifying
the add-ons you want to allow in the Add-On List setting, enable this policy to block
all other add-ons automatically. You can use the combination of these two settings to
block all unapproved add-ons.
Two other Group Policy settings related to add-on management are located within both
User Configuration and Computer Configuration at Administrative Templates\Windows
Components\Internet Explorer. The settings that relate to managing add-ons are:
■ Turn Off Crash Detection By default, Internet Explorer detects an add-on that
crashes and disables it the next time you start Internet Explorer. If you have
a problematic add-on that is required for a critical Web application, you can enable
this policy to ensure that even a failing add-on continues to run.
■ Do Not Allow Users To Enable Or Disable Add-Ons By default, users can open the
Manage Add-Ons dialog box and enable or disable add-ons. If you enable this policy,
they won’t be able to configure add-ons.
How to Configure ActiveX Add-Ons
ActiveX is a technology that enables powerful applications with rich user interfaces to run within
a Web browser. For that reason, many organizations have developed ActiveX components as
part of a Web application, and many attackers have created ActiveX components to abuse the
platform’s capabilities. Some examples of ActiveX controls include the following:
■ A component that enables you to manage virtual computers from a Microsoft Virtual
Server Web page
■ A Microsoft Update component that scans your computer for missing updates
■ Shockwave Flash, which many Web sites use to publish complex animations and games
■ A component that attempts to install malware or change user settings without the
user’s knowledge
Earlier versions of Internet Explorer installed ActiveX controls without prompting the users.
This provided an excellent experience for Web sites that used ActiveX controls because the user
was able to enjoy the control’s features without manually choosing to install it. However, malware
developers soon abused this capability by creating malicious ActiveX controls that installed
software on the user’s computer or changed other settings, such as the user’s home page.
To enable you to use critical ActiveX controls while blocking potentially dangerous ActiveX
controls, Microsoft built strong ActiveX management capabilities into Internet Explorer.
The sections that follow describe how to configure ActiveX on a single computer and within
an enterprise.
HOW TO CONFIGURE ActiveX OPT-IN
In Internet Explorer 8, ActiveX controls are not installed by default. Instead, when users visit
a Web page that includes an ActiveX control, they see an information bar that informs them
that an ActiveX control is required. Users then have to click the information bar and click
Install ActiveX Control. If the users do nothing, Internet Explorer does not install the ActiveX
control. Figure 4-6 shows the Genuine Microsoft Software Web page, which requires users to
install an ActiveX control before their copy of Windows can be validated as genuine.
FIGURE 4-6 The Genuine Microsoft Software page
After the user clicks Install This Add-on, the user needs to respond to a UAC prompt for
administrative credentials. Then the user receives a second security warning from Internet
Explorer. If the user Confirms this security warning, Internet Explorer installs and runs the
ActiveX control.
ActiveX Opt-in is enabled by default for the Internet and Restricted Sites zones but
disabled by default for the Local Intranet and Trusted Sites zones. Therefore, any Web sites
on your local intranet should be able to install ActiveX controls without prompting the user.
To change the setting default for a zone, perform these steps:
1. Open Internet Explorer. Click the Tools button on the toolbar, and then click Internet
Options.
2. In the Internet Options dialog box, click the Security tab. Select the zone you want to
edit, and then click the Custom Level button.
3. Scroll down in the Settings list. Under ActiveX Controls And Plug-Ins, change the
setting for the first option, which is Allow Previously Unused ActiveX Controls To Run
Without Prompt. If this is disabled, ActiveX Opt-in is enabled. Click OK twice.
No hay comentarios:
Publicar un comentario