桌面安全培訓(xùn)教材

第六章Windows7桌面平安概述Windows7中平安管理概述使用本地組策略加強Windows7平安使用EFS和BitLocker實現(xiàn)數(shù)據(jù)平安配置應(yīng)用程序限制配置用戶賬戶控制配置WindowsFirewall配置InternetExplorer8中的平安設(shè)置配置WindowsDefenderWhatIsActionCenter?Demonstration:ConfiguringActionCenterSettingsLesson1:Windows7中平安管理概述Windows7關(guān)鍵平安功能Windows7關(guān)鍵平安功能EncryptingFileSystem(EFS)üWindowsBitLocker?andBitLockerToGo?üWindowsAppLocker?üUserAccountControlüWindowsFirewallwithAdvancedSecurityüWindowsDefender?üWindows7ActionCenterü什么是操作中心?SelecttheitemsthatyouwantcheckedforuseralertsActionCenterisacentrallocationforviewingmessagesaboutyoursystemandthestartingpointfordiagnosingandsolvingissueswithyoursystemDemo:配置操作中心設(shè)置Inthisdemonstration,youwillseehowto:

ChangeActionCenterSettingsChangeUserControlSettingsViewArchivedMessages10minLesson2:使用本地組策略加強Windows7平安什么是組策略?組策略對象如何被執(zhí)行?多本地組策略如何工作Demo:創(chuàng)立多本地組策略Demo:配置本地平安策略設(shè)置什么是組策略?組策略可以使IT管理員實現(xiàn)對用戶和計算機一對多的管理使用組策略:執(zhí)行標準化配置部署軟件強制安全設(shè)置強制桌面環(huán)境的一致性本地組策略影響登錄到該計算機的本地或域用戶組策略對象如何被執(zhí)行?計算機設(shè)置在啟動時和到策略更新周期時執(zhí)行，用戶設(shè)置在用戶登錄或到策略更新周期時執(zhí)行組策略處理順序:1.LocalGPOs2.Site-levelGPOs3.DomainGPOs4.OUGPOs多本地組策略如何工作多本地組策略允許管理員應(yīng)用不同的本地策略到本地的用戶.本地組策略對象可以應(yīng)用到3個級別的用戶:本地組策略對象應(yīng)用到本地計算機和所有用戶.

管理員組和非管理員組，只包含用戶設(shè)置.

指定的用戶，最后被執(zhí)行，僅包含用戶設(shè)置，應(yīng)用到指定的用戶.Demo:創(chuàng)立多本地組策略Inthisdemonstration,youwillseehowto:

CreateacustommanagementconsoleConfiguretheLocalComputerPolicyConfiguretheLocalComputerAdministratorsPolicyConfiguretheLocalComputerNon-AdministratorsPolicyTestmultiplelocalgrouppolicies10minDemo:配置本地平安策略設(shè)置Inthisdemonstration,youwillseehowtoreviewthelocalsecuritygrouppolicysettings10minLesson3:使用EFS和BitLocker實現(xiàn)數(shù)據(jù)平安什么是EFS?Demo:使用EFS加密和解密文件和文件夾什么是BitLocker?BitLocker需求BitLocker模式BitLocker組策略設(shè)置配置BitLocker配置BitLockertoGo恢復(fù)BitLocker加密驅(qū)動器什么是EFS?EncryptingFileSystem(EFS)isthebuilt-infileencryption

toolforWindowsfilesystems.EnablestransparentfileencryptionanddecryptionRequirestheappropriatecryptographic(symmetric)keytoreadtheencrypteddataEachusermusthaveapublicandprivatekeypairthatisusedtoprotectthesymmetrickeyAuser’spublicandprivatekeys:Caneitherbeself-generatedorissuedfromaCertificateAuthorityAreprotectedbytheuser’spasswordAllowsfilestobesharedwithotherusercertificates支持將私鑰存儲到智能卡上üEncryptingFileSystemRekeyingwizardü新的EFS組策略設(shè)置ü加密系統(tǒng)頁面文件ü支持AIS256位加密üWindows7中EFS新功能基于每用戶的脫機文件加密üDemo:使用EFS加密和解密文件和文件夾Inthisdemonstration,youwillseehowto:

EncryptfilesandfoldersConfirmthefilesandfoldershavebeenencryptedDecryptfilesandfoldersConfirmthefilesandfoldershavebeendecrypted10min什么是BitLocker？WindowsBitLocker驅(qū)動加密可以加密存儲在系統(tǒng)卷上的操作系統(tǒng)和數(shù)據(jù)ü提供對離線數(shù)據(jù)保護的支持ü保護所有安裝在加密卷上的應(yīng)用程序數(shù)據(jù)ü包含系統(tǒng)完整性校驗ü校驗啟動組件和啟動配置數(shù)據(jù)tconfigurationdataü抱著啟動過程的完整性üBitLocke需求加密和解密密鑰:硬件需求:BitLocker加密需要:計算機帶有TPM〔或更新〕芯片可移動USB設(shè)備有足夠的可用空間，BitLocker需要創(chuàng)立兩個分區(qū)BIOS兼容TPM，同時系統(tǒng)啟動時需要USB設(shè)備支持BitLocker模式Windows7支持兩種操作模式:TPM模式無-TPM模式TPMmodeLocksthenormalbootprocessuntiltheuseroptionallysuppliesapersonalPINand/orinsertsaUSBdrivecontainingaBitLockerstartupkey

Theencrypteddiskmustbelocatedintheoriginalcomputer

Performssystemintegrityverificationonbootcomponents

Ifanyitemschangedunexpectedly,thedriveislockedandpreventedfrombeingaccessedordecrypted

無-TPM模式使用組策略來允許BitLocker工作在無TPM模式

鎖定啟動過程類似于TPM模式，BitLocker啟動密鑰必須存儲在USB設(shè)備上

計算機的BIOS必須能讀取USB驅(qū)動器

提供受限的驗證

不能執(zhí)行BitLocker系統(tǒng)完整性檢查SettingsforRemovableDataDrivesGroupPolicyprovidesthefollowingsettingsforBitLocker:TurnonBitLockerbackuptoActiveDirectoryDomainServicesConfiguretherecoveryfolderonControlPanelSetupEnableadvancedstartupoptionsonControlPanelSetupConfiguretheencryptionmethodPreventmemoryoverwriteonrestartConfigureTPMvalidationmethodusedtosealBitLockerkeysBitLocker的組策略設(shè)置SettingsforFixedDataDrivesLocalGroupPolicySettingsfor

BitLockerDriveEncryptionSettingsforOperatingSystemDrivesEnablingBitLockerinitiatesastart-upwizard:

Validatessystemrequirements

Createsthesecondpartitionifitdoesnotalreadyexist

Allowsyoutoconfigurehowtoaccessanencrypteddrive:

USB

UserfunctionkeystoenterthePassphrase

NokeyThreemethodstoenableBitLocker:

FromSystemandSettingsinControlPanel

Right-clickthevolumetobeencryptedinWindowsExplorerandselecttheTurnonBitLockermenuoptionUsethecommand-linetooltitledmanage-bde.wsfInitiatingBitLockerthroughWindowsExplorer通過控制臺初始化BitLocker配置BitLockerManageaDriveEncryptedbyBitLockerToGoSelecthowtostoreyourrecoverykeyManageaDriveEncryptedbyBitLockerToGoEnableBitLockerToGoDriveEncryptionbyright-clickingtheportabledevice(suchasaUSBdrive)andthenclickingTurnOnBitLocker

SelectoneofthefollowingsettingstounlockadriveencryptedwithBitLockerToGo:UnlockwithaRecoveryPasswordorpassphraseUnlockwithaSmartCardAlwaysauto-unlockthisdeviceonthisPC配置BitLockerToGoSelecthowtounlockthedrive–throughapasswordorbyusingaSmartcardEncrypttheDrive恢復(fù)BitLocker加密的驅(qū)動當(dāng)一臺啟用Bitlocker的計算機啟動時:

BitLocker檢查操作系統(tǒng)是否有平安隱患

如果檢查到:

BitLocker進入到恢復(fù)模式，并保持系統(tǒng)分區(qū)鎖定

用戶必須輸入正確的恢復(fù)密鑰才能繼續(xù)BitLocker恢復(fù)密碼是:48位數(shù)字密碼用來解鎖系統(tǒng)UniquetoaparticularBitLockerencryption可以被存儲在ActiveDirectory如果存儲在活動目錄中，通過驅(qū)動標簽或計算機密碼搜索它Lesson4:配置應(yīng)用程序限制什么AppLocker?AppLocker規(guī)那么Demo:配置AppLocker規(guī)那么Demo:強制AppLocker規(guī)那么什么是軟件限制策略?什么AppLocker?AppLocker的好處：控制用戶如何訪問和運行所有類型的應(yīng)用程序確保用戶桌面上只能運行允許的程序和許可的軟件

AppLocker是Windows7中的一項新平安功能，使得IT管理員可以指定用戶可以執(zhí)行那些應(yīng)用程序默認規(guī)則:所有用戶可以運行默認程序文件目錄下的文件所有用戶可以運行經(jīng)過Windows操作系統(tǒng)簽名過的文件內(nèi)置管理員組可以運行所有文件首先，在手工創(chuàng)建新規(guī)則之前，創(chuàng)建默認AppLocker規(guī)則，然后字定義規(guī)則創(chuàng)建自定義規(guī)則在本地安全策略控制臺使用AppLocker向?qū)ё詣由梢?guī)則ü你可以配置執(zhí)行規(guī)則、WindowsInstaller規(guī)則、腳本規(guī)則ü你可以指定一個包含.exe文件的文件夾給某條規(guī)則ü你可以創(chuàng)建某個.exe文件的例外規(guī)則ü你可以創(chuàng)建基于數(shù)字簽名的應(yīng)用程序規(guī)則ü你可以手工創(chuàng)建一個自定義特殊執(zhí)行規(guī)則üAppLocker規(guī)那么Demo:配置AppLocker規(guī)那么Inthisdemonstration,youwillseehowto:

CreatenewexecutableruleCreatenewWindowsInstallerruleAutomaticallygenerateScriptrules10minDemo:強制AppLocker規(guī)那么Inthisdemonstration,youwillseehowto:

EnforceAppLockerRulesConfirmtheexecutableruleenforcementConfirmtheWindowsInstallerruleenforcement10min什么是軟件限制策略?軟件限制策略(SRP)可以明確用戶可以允許執(zhí)行那些軟件

SRP是WindowsXP和WindowsServer2003支持的策略SRP是設(shè)計用來幫助組織控制一些不允許執(zhí)行的未知代碼和惡意的程序

SRP包含默認安全級別，所有的規(guī)則都在組策略應(yīng)用時被執(zhí)行HowdoesSRPcomparetoWindowsAppLocker?AppLocker是用來替換軟件限制策略的üSRP控制臺和SRP規(guī)則在Windows7同樣也支持，主要用來實現(xiàn)向下兼容性üAppLocker規(guī)則完全獨立于SRP規(guī)則üAppLocker組策略獨立于SRP組策略üIfAppLocker規(guī)則定義于一個GPO中，只有指定規(guī)則被應(yīng)用ü根據(jù)企業(yè)客戶端版本分別定義AppLocker和SRP規(guī)則üSRP和AppLocker比較Lesson5:配置用戶賬戶控制什么UAC?UAC如何工作Demo:配置UAC的組策略設(shè)置配置UAC提示設(shè)置什么UAC?用戶賬戶控制(UAC)是一項平安功能，使得用戶在標準用戶模式下執(zhí)行必須的日常任務(wù)UAC必要時會要求用戶提升到管理員模式下執(zhí)行相應(yīng)的操作Windows7增強了用戶控制的提升體驗UAC如何工作在Windows7中，當(dāng)用戶執(zhí)行一項需要管理員特權(quán)的任務(wù)時，會出現(xiàn)什么提示?Administrative

Users

UACpromptstheuserforpermissiontocompletethetaskStandard

Users

UACpromptstheuserforthecredentialsofauserwithadministrativeprivilegesDemo:配置UAC的組策略設(shè)置Inthisdemonstration,youwillseehowto:

OpentheUserAccountswindowReviewusergroupsViewtheCredentialPromptChangeUserAccountSettingsandViewtheConsentPrompt10min配置UAC提示設(shè)置UAC的用戶體驗級別有：

Alwaysnotifyme

Notifymeonlywhenprogramstrytomakechangestomycomputer

Notifymeonlywhenprogramstrytomakechangestomycomputer(donotdimmydesktop)

Nevernotify

LabA:ConfiguringUAC,LocalSecurityPolicies,EFS,andAppLockerExercise1:ConfiguringvirusprotectionandUserAccountControl(UAC)notificationsettingsinActionCenterExercise2:ConfiguringMultipleLocalGroupPoliciestomanagetheappearanceofselectedprogramiconsExercise3:ConfiguringandtestingencryptionoffilesandfoldersExercise4:ConfiguringandtestingAppLockerrulestocontrolwhatprogramscanbeexecutedLogoninformationEstimatedtime:50minutesVirtualmachine6292A-LON-DC16292A-LON-CL1UsernameContoso\AdministratorPasswordPa$$w0rdLabAScenarioYourcompanyisimplementingWindows7computersforallcorporateusers.Asanadministratoratyourorganization,youareresponsibleforconfiguringthenewWindows7computerstosupportvariouscorporaterequirements. Youhavebeenaskedto:TurnoffvirusprotectionnotificationsVerifytheUserAccountControl(UAC)settingsaresetto“Alwaysnotifybutnotdimthedesktop〞Configuremultiplelocalgrouppoliciestocontrolwhichofthedefaultprogramiconsappearonusers’andadministrators’computersEncryptallsensitivedataoncomputersusingEFSUseAppLockerrulestopreventcorporateusersfromrunningWindowsMediaPlayerandinstallingunauthorizedapplicationsLabAReviewWherecanyouturnonandoffsecuritymessagesrelatedtovirusprotection?WhataresomeoftheothersecuritymessagesthatcanbeconfiguredinWindows7?Howcanthenotificationsaboutchangestothecomputerbesuppressed?Canmultiplelocalgrouppoliciesbecreatedandappliedtodifferentusers?WhataresomeofthewaysofprotectingsensitivedatainWindows7?HowcanWindows7usersbepreventedfromrunningapplications,suchasWindowsMediaPlayer?Lesson6:配置WindowsFirewall討論：什么是防火墻?配置根本防火墻設(shè)置高級平安Windows防火墻常見應(yīng)用程序使用的端口Demo:配置入站、出戰(zhàn)連接平安規(guī)那么討論：什么是防火墻?你們公司正在使用哪種類型的防火墻?是什么原因選擇的它?10min配置網(wǎng)絡(luò)位置翻開或關(guān)閉Windows防火墻，自定義網(wǎng)絡(luò)位置設(shè)置添加，修改和移除允許的程序設(shè)置和修改多個活動的配置文件設(shè)置配置Windows防火墻提示配置根本防火墻設(shè)置高級平安Windows防火墻WindowsFirewallwithAdvancedSecurityfiltersincomingandoutgoingconnectionsbasedonitsconfigurationInboundrulesexplicitlyalloworexplicitlyblocktrafficthatmatchescriteriaintherule.Outboundrulesexplicitlyalloworexplicitlydenytrafficoriginatingfromthecomputerthatmatchesthecriteriaintherule.ConnectionsecurityrulessecuretrafficbyusingIPsecwhileitcrossesthenetwork.Themonitoringinterfacedisplaysinformationaboutcurrentfirewallrules,connectionsecurityrules,andsecurityassociations.ThePropertiespageisusedtoconfigurefirewallpropertiesfordomain,private,andpublicnetworkprofiles,andtoconfigureIPsecsettings.常見應(yīng)用程序使用的端口當(dāng)計算機要和遠程的主機建立通訊時，將會創(chuàng)建TCP或UDP的套接字TCP/IPProtocolSuiteTCPUDPEthernetHTTPFTPSMTPDNSPOP3SNMPIPv6IPv4ARPIGMP

ICMPHTTPSDemo:配置入站、出戰(zhàn)連接平安規(guī)那么Inthisdemonstration,youwillseehowto:

ConfigureanInboundRuleConfigureanOutboundRuleTesttheOutboundRuleCreateaConnectionSecurityRuleReviewMonitoringSettingsinWindowsFirewall15minLesson7:配置InternetExplorer8的平安設(shè)置討論:InternetExplorer8在兼容性功能InternetExplorer8增強的隱私保護功能InternetExplorer8的SmartScreen功能InternetExplorer8的其它平安功能Demo:配置InternetExplorer8的平安設(shè)置討論:InternetExplorer8在兼容性功能10min在你更新IE時，你會碰到哪些兼容性我呢間?InternetExplorer8增強的隱私保護功能InPrivateBrowsing-inherentlymoresecurethanusingDeleteBrowsingHistorytomaintainprivacybecausetherearenologskeptortracksmadeduringbrowsingüInPrivateFiltering-helpsmonitorthefrequencyofallthird-partycontentasitappearsacrossallWebsitesvisitedbytheuserüEnhancedDeleteBrowsingHistory-enablesusersandorganizationstoselectivelydeletebrowsinghistoryüInternetExplorer8的SmartScreen功能UsethislinktonavigateawayfromanunsafeWebsiteandstartbrowsingfromatrustedlocationUsethislinktoignorethewarning;theaddressbarremainsredasapersistentwarningthatthesiteisunsafeInternetExplorer8的其它平安功能Per-userActiveX–使得標準用戶可以安裝ActiveX控件在自己的用戶配置文件里，不需要管理員特權(quán)üPer-siteActiveX–IT管理員使用組策略預(yù)先設(shè)置被允許的相關(guān)聯(lián)域的控件üXSSFilter–如果在服務(wù)器的響應(yīng)中出現(xiàn)重播，將被識別為跨站腳本攻擊üDEP/NXprotection-查找內(nèi)存中沒有明確包含可執(zhí)行代碼的數(shù)據(jù)(這些數(shù)據(jù)有時會是病毒的源代碼),找到這些數(shù)據(jù)后,NX將它們都標記為“不可執(zhí)行üDemo:配置InternetExplorer8的平安設(shè)置Inthisdemonstration,youwillseehowto:

EnableCompatibilityViewforAllWebSitesDeleteBrowsingHistoryConfigureInPrivateBrowsingConfigureInPrivateFilteringViewAdd-onManagementInterface10minLesson8:配置WindowsDefender什么是惡意軟件?什么是WindowsDefender?WindowsDefender的掃描選項Demo:配置WindowsDefender設(shè)置什么是惡意軟件?惡意軟件包括:病毒蠕蟲特洛伊木馬間諜軟件廣告軟件惡意軟件將導(dǎo)致:性能降低數(shù)據(jù)丟失隱私泄露降低用戶的效率未經(jīng)允許的篡改計算機配置惡意軟件是一種蓄意破話計算機的一種軟件.什么是WindowsDefender?WindowsDefender是一種安全軟件，可以用來保護計算機對抗安全風(fēng)險，它能檢測和移除已知的間諜軟件.計劃掃描將按原先的計劃定期執(zhí)行提供可配置的響應(yīng)為嚴重、高、中、低的警告級別提供可定義的選項來例外文件，文件夾和文件類型通過WindowsUpdate自動安裝新的間諜軟件定義當(dāng)掃描完成時，將在主頁顯示結(jié)果.WindowsDefender的掃描選項當(dāng)掃描時，你可以定義你可以定義，掃描什么OptionDescription掃描歸檔文件Mayincreasescanningtime,butspywarelikestohideintheselocations掃描e-mailScane-mailmessagesandattachments掃描可移動驅(qū)動器ScanremovabledrivessuchasUSBflashdrives啟發(fā)式掃描Alertyoutopotentiallyharmfulbehaviorifitisnotincludedinadefinitionfile創(chuàng)建還原點Ifdetecteditemsareautomaticallyremoved,thisrestoressystemsettingsifyouwanttousesoftwareyoudidnotintendtoremoveScanTypeDescription快速掃描掃描計算機最容易被感染相關(guān)系統(tǒng)位置完全掃描掃描計算機所有的位置自定義掃描掃描用戶指定的位置Demo:配置WindowsDefender設(shè)置Inthisdemonstration,youwillseehowto:

SetWindowsDefenderOptionsViewQuarantineItemsViewAllowedItemsMicrosoftSpyNetWindowsDefenderWebsite10minLabB:ConfiguringWindowsFirewall,InternetExplorer8.0SecuritySettings,andWindowsDefenderExercise1:ConfiguringandTestingInboundandOutboundRulesinWindowsFirewallExercise2:ConfiguringandTestingSe