desktop and server securityse
TRANSCRIPT
![Page 1: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/1.jpg)
DESKTOP AND SERVER SECURITY• IS YOUR DESKTOP SECURE• HOW TO SECURE OWN DESKTOP BY-AROHI MORYA
ATL FOUNDATION,ARA
![Page 2: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/2.jpg)
Introduction
An important issue is how important security is, and how much are we willing to pay it financial, convenience, performance and other terms.
![Page 3: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/3.jpg)
Operating Systems
Windows Linux
![Page 4: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/4.jpg)
Windows 7 Desktop Security
INTRODUCTION USER ACCOUNT CONTROL INTERNET EXPLORER WINDOWS FIREWALL LOCAL ADMINISTRATION GROUP LOCAL USER LOCAL ADMINISTRATION ACCOUNT SERVICES APPLOCKER BIT LOCKER
![Page 5: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/5.jpg)
Introduction NORMALLY WINDOWS 7 IS MORE SECURE THAN ITS
PREDECESSORS, IT REMAINS VULNERABLE TO SECURITY THREATS. IN THIS TIP, STEPS FOR SECURING WINDOWS 7 DESKTOPS.
YOU WILL HAVE A PERFECT OPPORTUNITY TO SECURE YOUR WINDOW 7 DESKTOP SECURITY.
YOU CAN REDUCE HELPDESK CALL, INCREASE PRODUCTIVITY AND SECURITY.
I WILL SHOW YOU. HOW TO SECURE OWN DESKTOP STEP TO STEP . . . . . . . . . .
![Page 6: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/6.jpg)
User account control(uac) WINDOWS 7 MAKES IT MUCH EASIER TO DEAL WITH UAC SETTINGS,
AND IN FACT YOU DON’T HAVE TO COMPLETELY DISABLE UAC IF YOU DON’T WANT TO. JUST TYPE UAC INTO THE START MENU OR CONTROL PANEL SEARCH BOX.
USER ACCOUNT CONTROL SETTING IS TERM IS NOTIFY THE USER INSTALL AND REMOVE PROGRAMME.
![Page 7: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/7.jpg)
User Account control setting
NOTIFICATION SCALE IS SHOW UP LEVEL SHOW RISK IS HIGH AND LOW LEVEL RISK LOW
![Page 8: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/8.jpg)
Internet Explorer INTERNET EXPLORER COMES TO ALL
WINDOWS OPERATING SYSTEMS BUT VERSION IS CHANGE.
WINDOW 7 PROVIDES SOME AMAZING SECURITY WHEN WE ARE BROWSING THE INTERNET EXPLORER.
PROTECTED MODE IS SECURE YOUR SECURE OUR SYSTEM BY LEVERAGING THE BENEFITS OF USER ACCOUNTS CONTROL, PLUS ADDING IN INTEGRITY CONTROLS AND ISOLATION OF INTERNET EXPLORER FROM OTHER RUNNING APPLICATION.
![Page 9: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/9.jpg)
OPEN THE INTERNET EXPLORER GO TO SETTING OPEN
DIALOG BOX AND CLIK INTERNET OPTION.AND
CHECK THE ALL TAB FOR PRIVATE SETING
AS GENERAL,SECURITY,PRI
VACYETC.
![Page 10: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/10.jpg)
Windows Firewall The Windows 7 firewall now gives you the ability to select from three network locations
types upon connecting your computer to a new network.
Another evolutionary step in the Windows 7 firewall is its support for multiple firewall profiles simultaneously.
In order for we to centralize, customize, and define more rules for our windows 7 desktops, we can use group policy.
![Page 11: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/11.jpg)
Local administration group
TO HELP MAKE OUR COMPUTER MORE SECURE, ADD A USER TO THE ADMINISTRATORS GROUP ONLY IF IT IS ABSOLUTELY NECESSARY. USERS IN THE ADMINISTRATORS GROUP HAVE COMPLETE CONTROL OF THE COMPUTER. THEY CAN SEE EVERYONE'S FILES, CHANGE ANYONE'S PASSWORD, AND INSTALL ANY SOFTWARE THEY WANT.
TO CONTROL THIS ,WE CAN USE GROUP POLICY PREFERENCES.
![Page 12: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/12.jpg)
Local user
LOCAL USER MEAN WINDOW 7 PROVIDED TO MORE USER SAME SYSTEM. THEY HAVE OWN USER ACCOUNT.
WINDOWS 7 ALLOWS YOU TO HAVE MULTIPLE USERS SHARING THE SAME COMPUTER UNDER THEIR OWN INDIVIDUAL ACCOUNTS
![Page 13: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/13.jpg)
Create new account
![Page 14: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/14.jpg)
Services WE DON’T WANT USER RUNNING JUST ANY OLE
SERVICE ON THEIR WINDOWS 7 COMPUTER. THEREFORE WE CAN ESTABLISH A LIST OF APPROVED AND DENIED SERVICES USING GROUP POLICY PREFERENCES.
WINDOWS SERVICES CAN BE CONFIGURED TO START WHEN THE OPERATING SYSTEM IS STARTED AND RUN IN THE BACKGROUND AS LONG AS WINDOWS IS RUNNING. ALTERNATIVELY, THEY CAN BE STARTED MANUALLY OR BY AN EVENT. WINDOWS NT OPERATING SYSTEMS INCLUDE NUMEROUS SERVICES WHICH RUN IN CONTEXT OF THREE USER ACCOUNTS.
![Page 15: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/15.jpg)
AppLocker THE SOFTWARE CONFIGURATION OF A TYPICAL
DESKTOP COMPUTER CHANGES FROM ITS DESIRED OR INITIAL STATE USUALLY FROM THE INSTALLATION AND EXECUTION OF NON-STANDARD OR UNAPPROVED SOFTWARE.
IT MEANS THAT TECHNIQUES ALWAYS NOTIFICATION ALERT ASKE USER ARE YOU SURE INSTALL PARTICULAR DATA, APPLICATION ETC.
![Page 16: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/16.jpg)
Bit lockerWINDOWS 7 BITLOCKER™ DRIVE ENCRYPTION IS A DATA PROTECTION FEATURE AVAILABLE IN
WINDOWS® 7 ENTERPRISE AND ULTIMATE FOR CLIENT COMPUTERS AND IN WINDOWS SERVER 2008 R2.
THE TECHNOLOGY IS SIMPLE AND EASY TO CONFIGURE.
SUPPORT FOR NEW FILE SYSTEMS (FAT, FAT32, EXFAT).
SUPPORT FOR REMOVABLE DATA VOLUMES: NOW ANY VOLUME FORMATTED USING A SUPPORTED FILE SYSTEM CAN BE PROTECTED, WHETHER AN EXTERNAL HARD-DRIVE OR A
FLASH STICK.
NEW KEY PROTECTORS: A PASSWORD OR A SMARTCARD CAN NOW BE USED TO PROTECT DATA VOLUMES.
NEW RECOVERY MECHANISM: A PUBLIC-KEY-BASED KEY-PROTECTOR CAN NOW BE USED BY ENTERPRISE-DESIGNATED DATA RECOVERY AGENTS (DRA) TO TRANSPARENTLY PROTECT ALL
VOLUMES AND RECOVER THEM WITHOUT THE NEED OF A RECOVERY KEY OR RECOVERY PASSWORD.
![Page 17: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/17.jpg)
Local Right And Privileges0
LOCAL RIGHT THESE ARE PER COMPUTER CONFIGURATIONS THAT CONTROL WHAT A USER CAN DO TO A COMPUTER.
PERMISSION IS WHAT YOU CONFIGURE FOR RESOURCE ACCESS. A RESOURCE IS A FILE, FOLDER, REGISTRY, KEY, PRINTER, OR ACTIVE DIRECTORY OBJECT. PERMISSION DEFINE WHO CAN DO WHAT TO A RESOURCE.
PERMISSION’S EXAMPLE ARE READ, MODIFY, DELETE, ETC.
![Page 18: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/18.jpg)
What is Registry REGISTRY MEAN NOTE PARTICULAR NAME OR
ANYTHING, THAT KNOWN AS GENERAL WAYS REGISTERED BUT IN COMPUTER KNOWN AS ALL DATABASE THAT STORE CONFIGURE SETTINGS AND OPTIONS ON MICROSOFT WIDOWS OPERATING SYSTEMS. MICROSOFT WINDOWS FIRST INTRODUCED IN WINDOWS 3.1.
YES THAT CAN USE DESKTOP SECURE BY REGISTRY EDITING.
![Page 19: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/19.jpg)
Registry Structure THE REGISTRY HAVE TWO BASIC ELEMENTS…1. KEYS2. VALUES AND ALSO HAVE FIVE CLASSES 1. HKEY CLASSES ROOT2. HKEY CURRENT USER3. HKEY LOCAL MACHINE4. HKEY USERS5. HKEY CURRENT CONFIG
![Page 20: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/20.jpg)
Registry Editing The registry is edited by manually. Manually mean current user as administration
or guest user. For open windows key +R key and type “regedit” and enter registry editor is
open. Registry Editor is a tool intended for advanced users. It's used to view and change
settings in the system registry, which contains information about how your computer runs.
![Page 21: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/21.jpg)
I followed the rules. Here are my five rules for safer Registry editing: 1.The ironclad rule of Registry editing is that you must first back up the Registry. For many, making a System Restore point is the most convenient backup method. I also use the export facility of Regedit to make a copy of the Registry key that I am working on. Keep in mind that Regedit has no Undo function. 2. Know how to restore a Registry backup. It can be as simple as running System Restore or merging a backup REG file. 3. Make only one Registry edit at a time. Wait to see if everything works the way you want before making any more changes to the Registry. Don't forget that many Registry edits require that you log off or reboot before they take effect. 4. Only use Registry edits recommended by known reliable sources. Many of the common recommendations on the Internet are useless or nearly so. And some are even harmful. 5. Remember Rule #1.
RULES FOR EDITING THE REGISTRY SAFELY
![Page 22: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/22.jpg)
Root keys or Hives
Keys Abbreviation Description
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
HKCR
HKCU
HKLM
HKU
HKCC
Stores file association and COM object registration
Stores data associated with the account currently logged on
Stores system-related information
Stores information about all the accounts on the machine
Stores information about the current machine profile
![Page 23: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/23.jpg)
REGISTRY FILES THE REGISTRY
EDITOR ON WINDOW ON THESE SYSTEMS ALSO SOPPORTS EXPORTING.REG FILES ON WINDOWS 9X/NT FORMAT.DATA IS STORED IN .REG FILES.
[HKEY LOCAL MACHINE\SOFTWARE\MICROSOFT]
![Page 24: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/24.jpg)
PROTECTING THE REGISTRY ALL THE INITIALIZATION AND CONFIGURATION INFROMATION USED BY
WINDOW IS STORED IN THE REGISTRY.NORMALLY, THE KEYS IN THE REGISTRYKK ARE CHANGED INDIRECRLY, THROUGH THE ADMINISTRATIVE TOOLS SUCH AS THE CONTROL PANEL.
THE SECURITY PERMISSIONS SET ON THIS KEY DEFINE WHICH USERS OR GROUPS CAN CONNECT TO THE SYSTEM FOR REMOTE REGISTRY ACCESS.
HIVE: HKEY_LOCAL_MACHINEKEY: \CurrentcontrolSet\Control\SecurePipeServers NAME: \winreg
![Page 25: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/25.jpg)
Policy GROUP POLICY IS A HIERARCHICAL INFRASTRUCTURE THAT ALLOWS A
NETWORK ADMINISTRATOR IN CHARGE OF MICROSOFT'S ACTIVE DIRECTORY TO IMPLEMENT SPECIFIC CONFIGURATIONS FOR USERS AND COMPUTERS. GROUP POLICY CAN ALSO BE USED TO DEFINE USER, SECURITY AND NETWORKING POLICIES AT THE MACHINE LEVEL.
THE GROUP POLICY IS A TOOL USED TO ASSIGN POLICIES TO A SYSTEM. GROUP POLICIES ARE DESIGNED TO APPLY POLICY SETTINGS TO A WIDE VARIETY OF TASKS.
WINDOWS 2000 AND LATER VERSIONS OF WINDOWS USE GROUP POLICY TO ENFORCE REGISTRY SETTINGS. POLICY MAY APPLIED LOCALLY TO A SINGLE COMPUTER USING GPEDIT.MSC OR TO MULTIPLE COMPUTERS IN A DOMAIN USING GPMC.MSC.
FOR OPEN GPE GO TO RUN DIALOGUE BOX AND TYPE GPEDIT.MSC
![Page 26: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/26.jpg)
Using Group policy editor Notice that the local security policy is divided into Computer Configuration and User
Configuration. The Desktop configuration portion of the local security policy can be found by navigating through the console to User Configuration.
![Page 27: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/27.jpg)
Create Registry Value STEP 1-FIRST OPEN
REGISTRY EDITORS, GO TO RUN TYPE REGEDIT AND OK
STEP 2- THEN CREATE VALUE PRESSING RIGHT CLICK ON LEFT HAND SIDE WINDOW IT MAY BE DWORD VALUE STRING VALUE ETC DEPENDING UPON THE REGISTRY CONFIGURATION AND THEIR PATH.
![Page 28: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/28.jpg)
Windows 8 introduction & security
Windows 8 is newest family of Microsoft windows family and windows 8.1 is updated features including some new feature e.g.-start menu etc
Why windows 8 or 8.1 This version built by Microsoft for broad access as laptop, pcs, tablet pcs and mobile phones
using modern technology at home. Provide the experience and devices that users love and expect. Deliver enterprises-grade solutions that we can use to manage and secure them.Windows 8 also offers enterprises grade solution Enhance to end-to-end security Management and virtualization advancements windows 8 includes
And windows 8 have fast boot and shutdown feature from later Microsoft windows family
![Page 29: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/29.jpg)
Similarities windows 7 and windows 8
Windows 8 is just an improvement of windows 7 features. But still there exists some points that are common in both & they are: Windows 8 is use the same management tools that we
already use to support Windows 7 in our organization. In windows 7 you can quickly run apps by pressing the
windows logo key, typing the name of the app and pressing Enter. we can do the same windows 8
In windows 8 we swipe in from the top edge of the screen to display app commands by simply right click with the mouse.
Windows 8 is definitely more secure than Windows 7. An integrated antivirus and application reputation system, along with a tamed app ecosystem that replaces the wild-west nature of previous versions of Windows, will probably make the most difference for inexperienced users that may not have ran an antivirus or knew which applications were safe to install on previous versions of Windows. Low-level improvements to the way Windows manages memory will help everyone, even power users.
![Page 30: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/30.jpg)
New features of windows 8 or 8.1
Windows 8 is focused on users Windows is focused very heavily on a new, tiled, touch-centric
interface for tablet
![Page 31: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/31.jpg)
End to end Security Windows 8 have secure booting system because some
malware programs target the boot process and insert. Measure boot on Trusted Platform Module(TPM) based
systems. Bit locker Drive Encryptions-It is a data protection feature
in windows 8 pro and windows 8 enterprises editions that helps protect data theft from lost, stolen or inappropriately
decommissioned computers. AppLocker-It is a simple and flexible mechanism that allows our specify exactly which apps are allowed to run
users pcs. Windows Smart Screen-Its app reputation is safety feature
in windows 8 or 8.1 Claim Based access control-this control is enables you to
set up and manage usage polices for files folders, and shared resources.
![Page 32: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/32.jpg)
Hardware RecommendationsWindows 8 or 8.1
If you want to run Windows 8.1 on your PC, here's what it takes:
Processor: 1 gigahertz (GHz)* or faster with support for PAE, NX, and SSE2 (more info)
RAM: 1 gigabyte (GB) (32-bit) or 2 GB (64-bit)
Hard disk space: 16 GB (32-bit) or 20 GB (64-bit)
Graphics card: Microsoft DirectX 9 graphics device with WDDM driver
If we're running Windows 8 we can get a free update to Windows 8.1. Just tap or click the Windows Store tile on your Start screen. Once we've moved up to
Windows 8.1 we should get the update automatically. If you don't, follow these steps to get it manually using Windows Update.
![Page 33: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/33.jpg)
Hardware InnovationTouch
Touch is clearly front and centre for Microsoft 1. The response times required for touch
2. The sensitivity and precision required of digitizer 3. The user experience of flush bezel
Long battery lifeOne of the key design tenant of Windows 8 or 8.1 is enable to long
life batterySensor and security
With windows 8 or 8.1 will enables developers to take advantage of hardware innovation such as
4. Low power Bluetooth5. Gps
6. Gyroscopes7. accelerometer
We will also be able to take advantage of security hardware technology like Trusted Platform Module(TPM) and Unified Extensible Interface(UEFI)
boot.
![Page 34: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/34.jpg)
Windows 8 Security Protecting the client against
threatsBoot options for security
Smart screenVulnerability mitigation and
sandboxingProtecting sensitive data
secure access to resources
![Page 35: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/35.jpg)
Protecting the client against threats
Microsoft actually introduced a few great features in its new operating system, some of which will help keep you safer from malware and other security threats.
To take full advantage of Windows 8’s new security features, your PC needs to run a new kind of boot system called Unified Extensible Firmware Interface (UEFI). This system, which replaces the archaic Basic Input/output System (BIOS), adds many new boot features and greatly speeds the start-up process.
Window 8 offers several
enhancements such as trusted
boot, internet explorer smart
screen application reputation and
app sandboxing.
![Page 36: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/36.jpg)
Boot options for security Measured Boot
The biggest challenge with rootkits and bootkits on earlier versions of Windows is that they can be undetectable to the client. Because they start before antimalware and they have system-level privileges, they
can completely disguise themselves while continuing to access system resources. As a result, PCs infected with rootkits appear to be healthy,
even with antimalware running.Secure Boot
When a PC starts, it starts the process of loading the operating system by locating the bootloader on the PC’s hard drive. If a PC doesn’t
support Secure Boot (as is the case with most PCs released prior to Windows 8), the PC simply hands control over to the bootloader,
without even determining whether it is a trusted operating system or malware.
On new Windows 8 computers that use the UEFI firmware instead of the old-style BIOS, Secure Boot guarantees that only specially signed
and approved software can run at boot. On current computers, malware could install a malicious boot loader that loads before the
Windows boot loader, starting a boot-level rootkit (or “bootkit”) before Windows even launches. The rootkit could then hide itself from
Windows and antivirus software, pulling the strings in the background.
![Page 37: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/37.jpg)
Smart screen check application reputation.Smart screen gives broader protectionWhen we install new app then automatic activate and remember are you secure
Smart screen
![Page 38: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/38.jpg)
Vulnerability mitigation and sandboxing
Windows 8 has improved address space layout randomization (ASLR) data execution prevention
(DEP) both of which make exploiting vulnerabilities more difficulty.
The combination DEP and ASLR in windows 8 increase the amount of effort required by an
attacker to develop and be successful with an exploit.
![Page 39: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/39.jpg)
Protecting sensitive dataWhere users travel, so does their organization’s confidential data. Since Windows Vista, BitLocker has
provided full drive encryption capable of protecting both confidential data and system integrity. Windows 8 improves BitLocker by making it easy and faster to deploy, more convenient, and more
manageable.Table 2 lists specific data-protection challenges in Windows 7 and the Windows 8 solution.
Table 2. Windows 8 solutions to Windows 7 data-protection challengesWindows 7 challenge Windows 8 challengeWhen BitLocker is used with a PIN to protect start-up, PCs such as servers and kiosks cannot be restarted remotely.
Network Unlock allows PCs to start automatically when connected to the internal network.
Users must contact IT to change their BitLocker PIN or password. Windows 8 allows users with standard privileges to change their BitLocker PIN or password.
Enabling BitLocker can make the provisioning process take several hours. BitLocker preprovisioning and Used Space Only encryption allow BitLocker to be quickly enabled on new computers.
No support for using BitLocker with Self-Encrypting Drives (SEDs). BitLocker supports offloading encryption to encrypted hard drives.
Administrators have to use separate tools to manage encrypted hard drives. BitLocker supports encrypted hard drives with onboard encryption hardware built in, allowing administrators to use the familiar BitLocker administrative tools to manage them.
Encrypting a new flash drive can take more than 20 minutes. BitLocker To Go’s Used Space Only encryption allows users to encrypt drives in seconds.
BitLocker could require users to enter a recovery key when system configuration changes occur. BitLocker requires the user to enter a recovery key only when disk corruption occurs or when the user loses their PIN or password.
![Page 40: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/40.jpg)
secure access to resources
Pervasive Internet access and the latest generation of lightweight tablets and Ultrabook devices have
changed the way users work. They are not sitting at a desk with a mouse and keyboard anymore; they are using touch interfaces, travelling around the world, and working from untrusted networks. Let’s explore the different ways Windows 8 meets these modern
work styles. Virtual smart cards enables two factor authentication
in a cost-effective manner. Dynamic Access Control enables granular and complex
resource protection throughout an enterprises.
![Page 41: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/41.jpg)
LINUX SECURITY
I N T R O D U C T I O N & S E C U R I T Y
![Page 42: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/42.jpg)
O V E RV I E W
A D VA N TA G E L I N U X T H R E AT S T O L I N U X M A C H I N E S .
S E C U R I N G L I N U X B E T T E R . H O W T O S E C U R E L I N U X
![Page 43: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/43.jpg)
LINUX KERNELThe kernel is the central nervous system of Linux,
include OS code which runs the whole computer. It provides resources to all other programs that
you run under Linux, and manages all other programs as they run.
The kernel includes the code that performs certain specialized tasks, including TCP/IP
networking. The kernel design is modular, so that the
actual OS code is very small to be able to load when it needs, and then free the memory
afterwards, thus the kernel remains small and fast and highly extensible
![Page 44: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/44.jpg)
LINUX NETWORKING Networking comes naturally to Linux. In a real
sense, Linux is a product of the Internet or World Wide Web (www).
Linux is made for networking. Probably all networking protocols in use on the Internet are native to Unix and/or Linux. A large part of the Web is running on Linux boxes, e.g. : AOL
![Page 45: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/45.jpg)
ENCRYPTION Encryption commonly used to secure data. It is the ancient technique
of hiding information in plain sight. Include:
Strong encryption - is stronger than the 40-bit encryption maximum that can be exported from the United States under U.S. law.
Public-key Encryption - is a type of asymmetric encryption, which is a system that you encrypt your message with one key, and the
recipient decrypts it with a mathematically related, but different key.
![Page 46: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/46.jpg)
THE SECURE SHELL(SSH) The ssh and its tools use strong encryption to allow
remotely located systems to exchange data securely.
By using strong encryption, ssh significantly enhances the security of both the authentication process and the session itself.
![Page 47: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/47.jpg)
ADVANTAGE OF LINUXUser vs. administrator Only root can install software or change
system settings. More difficult for viruses to spread. Commands, utilities, even the desktop run
separately from the Kernel. Security updates are easier, quicker to
deploy.
![Page 48: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/48.jpg)
THREATS TO LINUX MACHINES Reasons for Break-in.
Loose Passwords Improper Permissions
Careless Security Unwanted Vulnerable Services Brute force password attacks
Buffer overflows in network services. int main () {int buffer[10]; buffer[20]=10;}
Aim: overwrite some control information to change the flow of control in the program.
![Page 49: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/49.jpg)
SECURING LINUX BETTER1. Secure the console 2. Set good passwords 3. Set right permissions4. Secure the network connection5. Restrict Access6. Iptables 7. Firewalls, Ports & Services8. Handling / Restricting Services9. Adding security to desktop10. Keep the system up to date
![Page 50: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/50.jpg)
SECURING THE CONSOLEPhysical Security
Password protect the screensaver.Set a password on the boot loader (lilo / grub).
Use xlock or xautolock while away.Do NOT normally login as root in own machine.
Set BIOS Password.Machine in safe location.
Set boot hierarchy to HDD first (not CD,HDD).Restrict Remote access.
Set up an idle timeout, to logout idle users.
![Page 51: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/51.jpg)
PASSWORDSUse strong, unique passwords (especially for root)
Must have a minimum length of 8 characters.Must be alpha-numeric not based on dictionary words.
Password must be changed every 30 days.Account will be locked out after 3 consecutive
unsuccessful login attempts.Don’t write down passwords or User-id & password.
Passwords must contain multiple characters (Lower / Upper Case, numbers, punctuation etc.)
Root password should be very hard to crack.
![Page 52: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/52.jpg)
PERMISSIONSCorrect permissions & ownerships on all directories & files.Never make files world-writable / world readable.Search for world-writable files in pwdfind . -perm -2 -print Improper file permissions in /dev : read/write directly to hardware like hard disks and network interfaces. /dev files should only be writable by root & readable only by their groupException : /dev/tty, /dev/pty, /dev/null, /dev/zero. find /dev -perm -2 -print chmod -R 700 /etc/rc.d/init.d/*Lock the /etc/services file so that no one can modify it
![Page 53: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/53.jpg)
SECURE THE NETWORKRemove all unwanted users and groups.Enable nospoof option in /etc/host.conf.Don't create /etc/hosts.equiv or a .rhosts fileDon't run rlogind or rshd. (pw in plain text)Run sshd to allow remote access via SSHUse TCP Wrappers “tcpd”Use /etc/hosts.deny & /etc/hosts.allowhosts.allow overrides hosts.denyDisable unwanted services thru xinetd.conf also Ref: man hosts_access
![Page 54: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/54.jpg)
MORE OF /ETC/ACCESS.[ALLOW|DENY]/etc/hosts.deny
Only Local host allowed accessALL:ALL
/etc/hosts.allow sshd: ALL
ALL: .tifr.res.in EXCEPT xyz.tifr.res.inAllow localhost ALL : 127.0.0.1
Allow another m/c to connect to any service ALL : 192.168.1.2
Let all ssh except 192.168.1.3 and 192.168.1.4 sshd: ALL EXCEPT 192.168.1.3, 192.168.1.4
![Page 55: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/55.jpg)
FIREWALLS Hardware firewall - A device between Internet & LAN. Software firewall: Software on a desktop/server that
rejects certain types of network traffic. Consider implementing a firewall. man iptables Restrict n/w traffic to a machine or network segment. Improves security and network performance. Why do I need a software firewall? Protects the m/c even if the h/w firewall is compromised. Protects the m/c against compromised m/c s on n/w. When can't one use a firewall? Some services (like Samba) may use unspecified ports. Some applications want to use arbitrary ports.
![Page 56: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/56.jpg)
IPTABLESSystem Settings > Security Level System Settings > Server Settings > Services Activate iptables in runlevels 3 & 5Chains: INPUT, OUTPUT,FORWARD.Effects : ACCEPT, DENY, DROPList all iptables rules# iptables –L# iptables -A INPUT -s <SIP> -j DROP# iptables -D <Chain name> <Rule no>
![Page 57: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/57.jpg)
IPTABLES (CONTD…) Drop all incoming telnet packets
# iptables -A INPUT -j DROP -p tcp --destination-port telnet
Block any incoming tcp packets on 2nd Eth card (eth1)# iptables -A INPUT -j DROP -p tcp -i eth1
Drop incoming sync ie. anything not initiated by our PC# iptables -A INPUT -p tcp --syn -j DROP
Block by mac addressiptables -A INPUT --mac-source 00:0B:DB:45:56:42 -j
DROP Ref:
![Page 58: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/58.jpg)
PORTSWhat are ports?
Network connection analogous to a lan highway. Each type of traffic needs to be in its own lan
A port is analogous to a lane on the highway; different types of traffic (http, ftp, ssh, etc.) use different ports
(80,21,22 etc)What ports need to be open?
Open the ports for services you need to use and/or offer others.
SSH (remote access to your machine): 22 FTP (file sharing server): 21
Web server: 80 X (display graphics on remote machines): 6000
See /etc/services for an exhaustive list. Close unused ports/terminate unwanted services.
![Page 59: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/59.jpg)
SERVICES / DAEMONSServices :
Special applications that start before any login Web server (httpd or Apache)
File services (samba, NFS, ftpd) Print services (lpd, CUPS)
Remote access (telnetd, sshd, vncserver) Management tools (crond, rhnsd)
Why can services be dangerous? Many services offer themselves to local & remote m/c s
If a flaw exists in the program providing the service, an attacker can exploit this flaw and break into the machine RULE: don't run any services you don't need.
RULE: if you're running a service, restrict access possible.
![Page 60: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/60.jpg)
ADDING SECURITY TO DESKTOP NIS maintains and distributes files such as /etc/group, /etc/password,
and /etc/hosts NIS’s very nature of “easy information access” makes it tasty hacker
bait A late replacement is NIS+ Access to NFS volumes is granted by /etc/exports This is a weak form of security because the server trusts the clients
to tell it who they are It is easy to make clients lie about their identities The TCP wrappers package can help limit the hosts that can access
NFS filesystems (through /etc/hosts.deny)
![Page 61: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/61.jpg)
REALISTIC SECURITY SEVERITY METRICS Elements of an overall severity metricDamaged potential of any given discovered security vulnerability is a measurement of the potential harm done. Overall severity metric and interaction between the three
key metrics.Our security analyst informs that we are the CIO for a business based on a web ecommerce site. The exception of ruleThe exploitation potential is an exception to this rule, anonymous malicious hackers with only mediocre programing skills can spend week months developing a program to exploit a security hole with little or no risk of getting caught. Applying the overall severity metric Suppose one operating system has far more security alerts than another.
![Page 62: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/62.jpg)
MICROSOFT WINDOWS VS LINUX Both offer some of the graphics capabilities and include some networking capabilities. But Linux
networking is excellent.Linux is multi-user, multi-tasking, but Microsoft
Windows doesn’t support it.Viruses, Trojans and other malware make it onto
Window desktop for a Familiar to window and foreign to linux
![Page 63: Desktop and server securityse](https://reader036.vdocument.in/reader036/viewer/2022062503/58ee50a11a28ab721b8b4645/html5/thumbnails/63.jpg)
THANK YOU