Windows Security

Account Policies

Local Security Policy Start > Control Panel > System and Security > Administrative Tools
Must be configured at the domain level
Password policy
Enforce password history How often the same password can be reused? If setting is 3, then
every 3rd reset you could use the same password
Default is 0

Maximum password age How long before user has to change their password
Default is 42 days

Minimum password age Shortest amount of time before a user can change their password
Default is 0

Minimum password length How many characters?

Default is 0, 8 is usually recommended

Password must meet complexity requirements Requires complex passwords to be used

cant include users account name, at least 6 characters in length, at least 3 of the following
uppercase, lowercase, numbers, symbols
Default is disabled

MyComputerCareer.com

Account Policies (cont'd.)

Account lockout policy

Prevents unauthorized access to Windows 7
Can configure an account to be temporarily disabled after a
number of incorrect log-on attempts
Account lockout threshold How many attempts?
Default is 0, meaning account lockout isnt in place until we configure it

Account lockout duration How long are they locked out?

Default 30 minutes

Reset account lockout counter after How long before we start

counting the number of attempts? Example If the second attempt
takes place in 10 minutes, do we still count that as the second
attempt
Default is 30 minutes

MyComputerCareer.com

Windows Defender

Start > All Programs > Windows Defender

Antispyware Spyware is software that installs silently on
your computer, monitors your behavior, and performs actions
based on that behavior
On-Demand Scanning
Windows Defender can perform ad hoc scanning

When you suspect that spyware is present on your computer

Quick scan Scans most common locations, like memory and load points
(system files and application files)
Full scan Scans the entire disk and running processes

Windows Defender can also perform scheduled scans

Real-Time Scanning

Constantly monitors your computer and alerts you when spyware

attempts to install
Better than on-demand scanning because you are preventing the
problem rather than fixing it

MyComputerCareer.com

Windows Defender (cont'd.)

Real-Time Scanning (cont'd.)

Protects the following areas:
Downloaded files and attachments
Monitors programs and files that interact with your web browser

Programs that run on my computer

Monitors all applications that run on your computer

Windows Defender Alert Levels

Severe or High Program that is known to be harmful and should be
removed
Medium Programs that may make changes to your computer or
collect private information
Low Programs that might collect private information, but are
operating in accordance with their license agreement

MyComputerCareer.com

Windows Defender (cont'd.)

Windows Defender Actions

When malware is detected, it can be quarantined, removed, or
allowed
You can define default actions that are applied for severe, high,
medium, and low alerts
For example, default action for a Severe alert is to remove the
program, but you could change the setting to quarantine

MyComputerCareer.com

Microsoft Security Essentials

Viruses are a different type of

software than spyware
Some of the things viruses can do:

Send spam from your computer to the

internet
Capture usernames and passwords
for Web sites, including online
banking
Steal enough personal information for
identity theft
Allow others to remote control your
computer and use it as a launching
point for illegal activities

Windows 7 does not include any

software to protect your computer
from viruses

Microsoft Security Essentials is a free

download

MyComputerCareer.com

Encryption Algorithms

Encryption makes data unreadable

Decryption makes data readable again

Symmetric encryption
Same key to encrypt data and decrypt data
The key is a long number that is very hard to guess
128 bit key is considered strong for Symmetric Encryption

Symmetric encryption is strong and fast

Good for encrypting large volumes of data such as files

Used by both EFS and BitLocker Drive Encryption

Biggest problem is securing the key

MyComputerCareer.com

Encryption Algorithms (cont'd.)

Asymmetric encryption
Key sizes of 512-bits, 1,024 bits, and beyond
Uses two keys to encrypt and decrypt data
Data encrypted by one key is decrypted by the other

Keys are part of a digital certificate

Digital certificates are obtained from certificate authorities
Requires more processing power and is less secure than
symmetric encryption
Use symmetric encryption to encrypt the data and then use
asymmetric encryption to protect just the symmetric key

MyComputerCareer.com

Encryption Algorithms (cont'd.)

Hash encryption
One-way encryption
It encrypts data, but the data cannot be decrypted

Used to uniquely identify data rather than prevent access

to data
Sometimes hash values for data are called fingerprints
Used for storing passwords

MyComputerCareer.com

10

Encrypting File System

Encrypting File System (EFS)

First included with Windows 2000 Professional
Encrypts individual files and folders on a partition
Suitable for protecting data files and folders on workstations
and laptops
Requires a digital certificate with a public and private key
Windows 7 automatically generates the certificate when you
encrypt a file

File or folder must be located on an NTFS-formatted

partition
Lost encryption keys
If a user loses the EFS key, then an encrypted file is
unrecoverable with the default configuration

MyComputerCareer.com

11

Encrypting File System

(cont'd.)

Lost encryption keys

Some ways EFS keys may be lost

The user profile is corrupted

The user profile is deleted accidentally
The user is deleted from the system
The user password is reset

In User Accounts, there is an option

to manage file encryption certificates
Allows you to back up certificates

This allows the encrypted files to be

recovered if required

MyComputerCareer.com

12

Using BitLocker

First released in Vista, and now available with

Windows 7 Enterprise and Ultimate
Encrypts an entire volume to protect against
unauthorized persons, such as someone stealing
a hard drive:

Increased data protection

Integrity checking

Understanding BitLocker
Requirements
Computer must have a Trusted Platform Module
(TPM) and a compatible BIOS.
Has 5 operational modes:

TPM + startup PIN + startup key

TPM + startup key
TPM + startup PIN
Startup key only
TPM only

Turning on BitLocker

Using Data Recovery Agents

(DRA)
A user account authorized to recover BitLocker
drives with a digital certificate on a Smart Card
Must be configured using Group Policy in an AD
DS
Must enable DRA recovery for each type of
BitLocker resource you want to recover

Using BitLocker To Go

New feature in Windows 7

Enables user to encrypt removable USB drives
Flash drives and external HDs

Windows Firewall

Windows 7 includes an improved version of

Windows Firewall to protect your computer
Standard firewall

Protects your computer by restricting which network

packets are allowed to reach your computer

Host-based firewall
Evaluates each packet as it arrives on your PC and
determines whether that packet is allowed or denied on

One way to improve security on computers is by

reducing the attack surface

18

MyComputerCareer.com

Firewall Configuration

Start > Control Panel > System and Security

Windows Firewall Control Panel window
Windows 7 allows custom firewall settings for each type of network
location: home, work, or public

When Windows Firewall is enabled

Default configuration blocks all incoming packets except for specifically
configured exceptions

There is an option to block all incoming connections

19

MyComputerCareer.com

Windows Firewall with

Advanced Settings
Advanced Settings allows
you to control Firewall
Create Inbound or Outbound
rules for applications
Create rules for IPSec to help
manage VPN connections
Export, then import Firewall
settings to other computers
Log successful or
unsuccessful connections

MyComputerCareer.com

20