[精选]Windows7桌面安全.pptx

《[精选]Windows7桌面安全.pptx》由会员分享，可在线阅读，更多相关《[精选]Windows7桌面安全.pptx（58页珍藏版）》请在淘文阁 - 分享文档赚钱的网站上搜索。

1、第六章Windows 7 桌面平安概述 Windows 7 中平安管理概述 使用本地组策略加强Windows 7 平安 使用EFS 和BitLocker 实现数据平安 配置应用程序限制 配置用户账户控制 配置 Windows Firewall 配置Internet Explorer 8 中的平安设置 配置Windows Defender What Is Action Center?Demonstration:Configuring Action Center SettingsLesson 1:Windows 7 中平安管理概述 Windows 7 关键平安功能Windows 7 关键平安功能E

2、ncrypting File System EFS Windows BitLocker and BitLocker To GoWindows AppLocker User Account Control Windows Firewall with Advanced SecurityWindows DefenderWindows 7 Action Center什么是操作中心?Select the items that you want checked for user alerts Action Center is a central location for viewing messages

3、about your system and the starting point for diagnosing and solving issues with your systemDemo:配置操作中心设置In this demonstration,you will see how to:Change Action Center Settings Change User Control Settings View Archived Messages 10 minLesson 2:使用本地组策略加强Windows 7 平安 什么是组策略?组策略对象如何被执行?多本地组策略如何工作 Demo:创

4、立多本地组策略 Demo:配置本地平安策略设置什么是组策略?组策略可以使IT 管理员实现对用户和计算机一对多的管理使用组策略:执行标准化配置 部署软件 强制安全设置 强制桌面环境的一致性本地组策略影响登录到该计算机的本地或域用户组策略对象如何被执行?计算机设置在启动时和到策略更新周期时执行，用户设置在用户登录或到策略更新周期时执行组策略处理顺序:1.Local GPOs2.Site-level GPOs3.Domain GPOs4.OU GPOs多本地组策略如何工作多本地组策略允许管理员应用不同的本地策略到本地的用户.本地组策略对象可以应用到3 个级别的用户:1.本地组策略对象应用到本地计算机

5、和所有用户.2.管理员组和非管理员组，只包含用户设置.3.指定的用户，最后被执行，仅包含用户设置，应用到指定的用户.Demo:创立多本地组策略In this demonstration,you will see how to:Create a custom management console Configure the Local puter Policy Configure the Local puter Administrators Policy Configure the Local puter Non-Administrators Policy Test multiple local

6、 group policies 10 minDemo:配置本地平安策略设置In this demonstration,you will see how to review the local security group policy settings 10 minLesson 3:使用EFS 和BitLocker 实现数据平安 什么是EFS?Demo:使用EFS 加密和解密文件和文件夹 什么是BitLocker?BitLocker 需求 BitLocker 模式 BitLocker 组策略设置 配置BitLocker 配置BitLocker to Go 恢复BitLocker 加密驱动器什么

7、是EFS?Encrypting File System(EFS)is the built-in file encryption tool for Windows file systems.Enables transparent file encryption and decryption Requires the appropriate cryptographic(symmetric)key to read the encrypted data Each user must have a public and private key pair that is used to protect t

8、he symmetric key A users public and private keys:Can either be self-generated or issued from a Certificate Authority Are protected by the users password Allows files to be shared with other user certificates 支持将私钥存储到智能卡上 Encrypting File System Rekeying wizard新的EFS 组策略设置加密系统页面文件支持AIS256 位加密Windows 7

9、中EFS 新功能基于每用户的脱机文件加密Demo:使用EFS 加密和解密文件和文件夹In this demonstration,you will see how to:Encrypt files and folders Confirm the files and folders have been encrypted Decrypt files and folders Confirm the files and folders have been decrypted10 min什么是BitLocker？Windows BitLocker 驱动加密可以加密存储在系统卷上的操作系统和数据提供对离线

10、数据保护的支持保护所有安装在加密卷上的应用程序数据包含系统完整性校验校验启动组件和启动配置数据t configuration data抱着启动过程的完整性BitLocke 需求加密和解密密钥:硬件需求:BitLocker 加密需要:计算机带有TPM v1.2 或更新芯片 可移动USB 设备 有足够的可用空间，BitLocker 需要创立两个分区 BIOS 兼容TPM，同时系统启动时需要USB 设备支持BitLocker 模式Windows 7 支持两种操作模式:TPM 模式 无-TPM 模式TPM mode Locks the normal boot process until the use

11、r optionally supplies a personal PIN and/or inserts a USB drive containing a BitLocker startup key The encrypted disk must be located in the original computer Performs system integrity verification on boot componentsIf any items changed unexpectedly,the drive is locked and prevented from being acces

12、sed or decrypted无-TPM 模式 使用组策略来允许BitLocker 工作在无TPM 模式 锁定启动过程类似于TPM 模式，BitLocker 启动密钥必须存储在USB 设备上 计算机的BIOS 必须能读取USB 驱动器 提供受限的验证 不能执行BitLocker 系统完整性检查Settings for Removable Data Drives Group Policy provides the following settings for BitLocker:Turn on BitLocker backup to Active Directory Domain Servic

13、es Configure the recovery folder on Control Panel Setup Enable advanced startup options on Control Panel Setup Configure the encryption method Prevent memory overwrite on restart Configure TPM validation method used to seal BitLocker keysBitLocker 的组策略设置Settings for Fixed Data DrivesLocal Group Poli

14、cy Settings for BitLocker Drive EncryptionSettings for Operating System Drives Enabling BitLocker initiates a start-up wizard:Validates system requirements Creates the second partition if it does not already exist Allows you to configure how to access an encrypted drive:USB User function keys to ent

15、er the Passphrase No keyThree methods to enable BitLocker:From System and Settings in Control Panel Right-click the volume to be encrypted in Windows Explorer and select the Turn on BitLocker menu option Use the command-line tool titled manage-bde.wsfInitiating BitLocker through Windows Explorer通过控制

16、台初始化BitLocker配置BitLockerManage a Drive Encrypted by BitLocker To GoSelect how to store your recovery keyManage a Drive Encrypted by BitLocker To Go Enable BitLocker To Go Drive Encryption by right-clicking the portable device(such as a USB drive)and then clicking Turn On BitLocker Select one of the

17、following settings to unlock a drive encrypted with BitLocker To Go:Unlock with a Recovery Password or passphrase Unlock with a Smart Card Always auto-unlock this device on this PC配置BitLocker To GoSelect how to unlock the drive through a password or by using a SmartcardEncrypt the Drive恢复BitLocker 加

18、密的驱动当一台启用Bitlocker 的计算机启动时:BitLocker 检查操作系统是否有平安隐患 如果检查到:BitLocker 进入到恢复模式，并保持系统分区锁定 用户必须输入正确的恢复密钥才能继续BitLocker 恢复密码是:48 位数字密码用来解锁系统 Unique to a particular BitLocker encryption 可以被存储在Active Directory 如果存储在活动目录中，通过驱动标签或计算机密码搜索它Lesson 4:配置应用程序限制 什么AppLocker?AppLocker 规则 Demo:配置AppLocker 规则 Demo:强制AppL

19、ocker 规则 什么是软件限制策略?什么AppLocker?AppLocker 的好处：控制用户如何访问和运行所有类型的应用程序 确保用户桌面上只能运行允许的程序和许可的软件AppLocker 是Windows 7 中的一项新平安功能，使得IT 管理员可以指定用户可以执行那些应用程序默认规则:所有用户可以运行默认程序文件目录下的文件所有用户可以运行经过Windows 操作系统签名过的文件内置管理员组可以运行所有文件首先，在手工创建新规则之前，创建默认AppLocker 规则，然后字定义规则创建自定义规则在本地安全策略控制台使用AppLocker 向导自动生成规则你可以配置执行规则、Windo

20、ws Installer 规则、脚本规则你可以指定一个包含.exe 文件的文件夹给某条规则你可以创建某个.exe 文件的例外规则你可以创建基于数字签名的应用程序规则你可以手工创建一个自定义特殊执行规则AppLocker 规则Demo:配置AppLocker 规则In this demonstration,you will see how to:Create new executable rule Create new Windows Installer rule Automatically generate Script rules10 minDemo:强制AppLocker 规则In thi

21、s demonstration,you will see how to:Enforce AppLocker Rules Confirm the executable rule enforcement Confirm the Windows Installer rule enforcement10 min什么是软件限制策略?软件限制策略(SRP)可以明确用户可以允许执行那些软件SRP 是Windows XP 和 Windows Server 2003 支持的策略SRP 是设计用来帮助组织控制一些不允许执行的未知代码和恶意的程序SRP 包含默认安全级别，所有的规则都在组策略应用时被执行How do

22、es SRP compare to Windows AppLocker?AppLocker 是用来替换软件限制策略的SRP 控制台和SRP 规则在Windows7 同样也支持，主要用来实现向下兼容性AppLocker 规则完全独立于SRP 规则AppLocker 组策略独立于SRP 组策略If AppLocker 规则定义于一个GPO 中，只有指定规则被应用根据企业客户端版本分别定义AppLocker 和SRP 规则SRP 和AppLocker 比较Lesson 5:配置用户账户控制 什么UAC?UAC 如何工作 Demo:配置UAC 的组策略设置 配置UAC 提示设置什么UAC?用户账户控制

23、UAC 是一项平安功能，使得用户在标准用户模式下执行必须的日常任务UAC 必要时会要求用户提升到管理员模式下执行相应的操作Windows 7 增强了用户控制的提升体验UAC 如何工作在Windows 7 中，当用户执行一项需要管理员特权的任务时，会出现什么提示?AdministrativeUsersUAC prompts the user for permission to complete the task Standard UsersUAC prompts the user for the credentials of a user with administrative privileg

24、esDemo:配置UAC 的组策略设置In this demonstration,you will see how to:Open the User Accounts window Review user groups View the Credential Prompt Change User Account Settings and View the Consent Prompt10 min配置UAC 提示设置UAC 的用户体验级别有：Always notify me Notify me only when programs try to make changes to my comput

25、er Notify me only when programs try to make changes to my computer(do not dim my desktop)Never notifyLab A:Configuring UAC,Local Security Policies,EFS,and AppLocker Exercise 1:Configuring virus protection and User Account Control UAC notification settings in Action Center Exercise 2:Configuring Mult

26、iple Local Group Policies to manage the appearance of selected program icons Exercise 3:Configuring and testing encryption of files and folders Exercise 4:Configuring and testing AppLocker rules to control what programs can be executedLogon informationEstimated time:50 minutesVirtual machine6292A-LO

27、N-DC1 6292A-LON-CL1User nameContosoAdministratorPassword Pa$w0rdLab A Scenario Your pany is implementing Windows 7 puters for all corporate users.As an administrator at your organization,you are responsible for configuring the new Windows 7 puters to support various corporate requirements.You have b

28、een asked to:Turn off virus protection notifications Verify the User Account Control UAC settings are set to“Always notify but not dim the desktop Configure multiple local group policies to control which of the default program icons appear on users and administrators puters Encrypt all sensitive dat

29、a on puters using EFS Use AppLocker rules to prevent corporate users from running Windows Media Player and installing unauthorized applicationsLab A Review Where can you turn on and off security messages related to virus protection?What are some of the other security messages that can be configured

30、in Windows 7?How can the notifications about changes to the puter be suppressed?Can multiple local group policies be created and applied to different users?What are some of the ways of protecting sensitive data in Windows 7?How can Windows 7 users be prevented from running applications,such as Windo

31、ws Media Player?Lesson 6:配置Windows Firewall 讨论：什么是防火墙?配置基本防火墙设置 高级平安Windows 防火墙 常见应用程序使用的端口 Demo:配置入站、出战连接平安规则讨论：什么是防火墙?1.你们公司正在使用哪种类型的防火墙?2.是什么原因选择的它?10 min配置网络位置翻开或关闭Windows 防火墙，自定义网络位置设置添加，修改和移除允许的程序设置和修改多个活动的配置文件设置配置Windows 防火墙提示配置基本防火墙设置高级平安Windows 防火墙Windows Firewall with Advanced Security fil

32、ters in ing and outgoing connections based on its configurationInbound rules explicitly allow or explicitly block traffic that matches criteria in the rule.Outbound rules explicitly allow or explicitly deny traffic originating from the puter that matches the criteria in the rule.Connection security

33、rules secure traffic by using IPsec while it crosses the network.The monitoring interface displays information about current firewall rules,connection security rules,and security associations.The Properties page is used to configure firewall properties for domain,private,and public network profiles,

34、and to configure IPsec settings.常见应用程序使用的端口当计算机要和远程的主机建立通讯时，将会创建TCP 或UDP的套接字TCP/IP Protocol SuiteTCP UDP Ethernet HTTPFTPSMTPDNSPOP3SNMPIPv6 IPv4ARP IGMP ICMPHTTPSDemo:配置入站、出战连接平安规则In this demonstration,you will see how to:Configure an Inbound Rule Configure an Outbound Rule Test the Outbound Rule C

35、reate a Connection Security Rule Review Monitoring Settings in Windows Firewall15 minLesson 7:配置Internet Explorer 8 的平安设置 讨论:Internet Explorer 8 在兼容性功能 Internet Explorer 8 增强的隐私保护功能 Internet Explorer 8 的SmartScreen 功能 Internet Explorer 8 的其它平安功能 Demo:配置Internet Explorer 8 的平安设置讨论:Internet Explorer 8

36、 在兼容性功能10 min在你更新IE 时，你会碰到哪些兼容性我呢间?Internet Explorer 8 增强的隐私保护功能InPrivate Browsing-inherently more secure than using Delete Browsing History to maintain privacy because there are no logs kept or tracks made during browsingInPrivate Filtering-helps monitor the frequency of all third-party content as

37、it appears across all Web sites visited by the userEnhanced Delete Browsing History-enables users and organizations to selectively delete browsing historyInternet Explorer 8 的SmartScreen 功能Use this link to navigate away from an unsafe Web site and start browsing from a trusted locationUse this link

38、to ignore the warning;the address bar remains red as a persistent warning that the site is unsafeInternet Explorer 8 的其它平安功能Per-user ActiveX 使得标准用户可以安装ActiveX 控件在自己的用户配置文件里，不需要管理员特权Per-site ActiveX IT 管理员使用组策略预先设置被允许的相关联域的控件XSS Filter 如果在服务器的响应中出现重播，将被识别为跨站脚本攻击DEP/NX protection-查找内存中没有明确包含可执行代码的数据(这

39、些数据有时会是病毒的源代码),找到这些数据后,NX 将它们都标记为“不可执行Demo:配置Internet Explorer 8 的平安设置In this demonstration,you will see how to:Enable patibility View for All Web Sites Delete Browsing History Configure InPrivate Browsing Configure InPrivate Filtering View Add-on Management Interface10 minLesson 8:配置Windows Defende

40、r 什么是恶意软件?什么是Windows Defender?Windows Defender 的扫描选项 Demo:配置Windows Defender 设置什么是恶意软件?恶意软件包括:病毒 蠕虫 特洛伊木马 间谍软件 广告软件恶意软件将导致:性能降低 数据丢失 隐私泄露 降低用户的效率 未经允许的篡改计算机配置恶意软件是一种蓄意破话计算机的一种软件.什么是Windows Defender?Windows Defender 是一种安全软件，可以用来保护计算机对抗安全风险，它能检测和移除已知的间谍软件.计划扫描将按原先的计划定期执行提供可配置的响应为严重、高、中、低的警告级别提供可定义的选项来

41、例外文件，文件夹和文件类型通过Windows Update 自动安装新的间谍软件定义当扫描完成 时，将在主页显示结果.Windows Defender 的扫描选项当扫描时，你可以定义你可以定义，扫描什么Option Description扫描归档文件May increase scanning time,but spyware likes to hide in these locations扫描e-mail Scan e-mail messages and attachments扫描可移动驱动器 Scan removable drives such as USB flash drives启发式扫

42、描Alert you to potentially harmful behavior if it is not included in a definition file创立复原点If detected items are automatically removed,this restores system settings if you want to use software you did not intend to removeScan Type Description快速扫描 扫描计算机最容易被感染相关系统位置完全扫描 扫描计算机所有的位置自定义扫描 扫描用户指定的位置Demo:配置

43、Windows Defender 设置In this demonstration,you will see how to:Set Windows Defender Options View Quarantine Items View Allowed Items Microsoft SpyNet Windows Defender Website10 minLab B:Configuring Windows Firewall,Internet Explorer 8.0 Security Settings,and Windows Defender Exercise 1:Configuring and

44、 Testing Inbound and Outbound Rules in Windows Firewall Exercise 2:Configuring and Testing Security Settings in Internet Explorer 8 Exercise 3:Configuring Scan Settings and Default Actions in Windows DefenderLogon informationEstimated time:45 minutesVirtual machine6292A-LON-DC1 6292A-LON-CL1User nam

45、eContosoAdministratorPassword Pa$w0rdLab B ScenarioYour pany has recently implemented Windows 7 puters for all corporate users.Some of the users have been connecting to and from other desktops through RDP.You need to prevent them from doing so with the use of Windows Firewall.As an administrator at

46、your organization,you are responsible for configuring and testing various security settings:In Internet Explorer 8,including InPrivate Browsing,InPrivate Filtering,and the patibility view for all Web sites.To prevent malware from infecting puters you need to configure Windows Defender scan settings,

47、schedule scans to run on Sundays at 10:00 PM and set severe alert items to quarantine.You also need to review what items have been allowed on puters.Lab B Review What are the types of rules you can configure in Windows Firewall?What are some of the new security settings in Internet Explorer 8?Will t

48、he default Windows Defender settings allow to check for new definitions,regularly scan for spyware and other potentially unwanted software?What are some of the types of scans Windows Defender can perform to detect malicious and unwanted software?Module Review and Takeaways Review questions Real-Worl

49、d Issues and Scenarios mon Issues Best Practices 9、静夜四无邻，荒居旧业贫。6 月-236 月-23Thursday,June 1,2023 10、雨中黄叶树，灯下白头人。12:23:5912:23:5912:236/1/2023 12:23:59 PM 11、以我独沈久，愧君相见频。6 月-2312:23:5912:23Jun-2301-Jun-23 12、故人江海别，几度隔山川。12:23:5912:23:5912:23Thursday,June 1,2023 13、乍见翻疑梦，相悲各问年。6 月-236 月-2312:23:5912:23

50、:59June 1,2023 14、他乡生白发，旧国见青山。01 六月 202312:23:59 下午12:23:596 月-23 15、比不了得就不比，得不到的就不要。六月 2312:23 下午6 月-2312:23June 1,2023 16、行动出成果，工作出财富。2023/6/1 12:23:5912:23:5901 June 2023 17、做前，能够环视四周；做时，你只能或者最好沿着以脚为起点的射线向前。12:23:59 下午12:23 下午12:23:596 月-23 9、没有失败，只有暂时停止成功！。6 月-236 月-23Thursday,June 1,2023 10、很多事