12 Tips To Secure Your Windows Systems

… How Vista, Server 2008/2008 R2 and WIndows 7 Changed The Game

Speaker: Mark Minasi (Directory Services MVP, author, speaker, trainer, consultant, journalist, alpha geek)

As usual, there’s way more to one of Mark’s talks than what I’ll blog here.  Go to one of his sessions if you get the chance.  They’re educational and entertaining.

IT security is about risk analysis.  It is impossible to be 100% secure – despite your bosses wishes.  IT is there to help users.  Security has the opposite job.  Find a balance.  Most hardening techniques break stuff – fact.  Windows 7/Server 2008 R2 don’t change this much.  I’ve personal experience with this using the Security Configuration Wizard.

Tip: when advising then make the listener feel smarter than you.  Don’t talk down to them on security because you alienate them.

Write a security policy.  No rules = no compliance.  The people (internal) are the threat.

“Bad passwords always beat good security”.  Question from audiences “why aren’t you talking about passphrases?”.  Mark talks about it later.  Unfortunately, MS sites still talk about the traditional password approach and the default domain policy and local security policies still do the same 8 character, complex password rule.

Real password attacks:

  • Shoulder surfing
  • Post-its
  • Yelled across a room
  • Steal password hashes (physical access)
  • Brute force

As you can see, many of these are taking advantage of human failing.  The “hacker” 2 at the end are easily defended against.

Survey: still very few people have disabled LanManager (LM) on their network.  Mark is insisting that it needs to be removed ASAP.

Windows Vista/2008 and later cannot do LM.

NTLM doesn’t include time stamps so it’s open to things like man in middle, replay and reflect attacks.

Passwords only have so long left.  Smartcards will take over.  E.G. Windows 7 has much better built in support for smart card driver integration.

UAC is your friend.  Don’t disable it.  Plus Windows 7 allows you to tune how vocal it is.

Auditing: We went from 9 categories on Vista to 54 on Windows 7/2008 R2.  We now have Global object access auditing to track activity of all activity by a security principal.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.