4 - Aspects of Windows Client Security

Abstract

This chapter focuses on important client security aspects that include least privilege, Internet Explorer (IE) security, security changes in XP Service Pack 2, spyware protection, and the Trusted Platform Module (TPM). It also covers the upcoming client security features in Internet Explorer 7.0 and Windows Vista. The principle of least privilege means that you should a user or a piece of code is given only the privileges it needs to do the job. For administrators, this means that they should have two accounts in an AD domain—one low-privilege account, and another high privilege account. UNIX is the best example that completely follows the principle of least privilege. The tools that administrators and users can use today in Windows 2000, Windows Server 2003, R2, and Windows XP to honor least privilege are RunAs, fast user switching, and third party tolls like dropmyrights and the privilege bar, The chapter also details the Windows XP Service Pack 2 security enhancements that include critical security enhancements for both users and developers. In Windows XP, Microsoft introduced a built-in personal firewall: the Internet Connection Firewall (ICF). XP SP2 offers more security resilience, that is, it increases the level of security and protection even on systems that don't have the latest security patches installed.’. The chapter also details the concept of browser security that highlights intelligent add-on management, pop-up blocking, and hidden IE security changes. Internet Explorer (IE) security zones are a powerful and often neglected security feature of Microsoft's Internet browser. Ensuring proper IE security require defining security zones, identifying security zone web site, customizing and administering the local computer security zone, and controlling security zone configuration settings. The chapter concludes with the malicious mobile code protection (MMC) that deals with protection against MMC annoyances like viruses, spyware, and rootkits.’