4. Layer 4: Managing information access
Layer 4 focuses on how users access information. Because of this, you need to concentrate on the following items:
The other items, Smart Card Deployments and IE Configurations, are covered here.
Deploying smart cards
Smart cards come in all flavors and all types.
The least expensive smart cards are USB smart cards because they come in
the form of a small footprint USB device and do not require the
implementation of additional hardware devices to read them. All you need
to do is plug it in and away you go.
|
If you use USB smart cards, make sure that you enable them as removable devices in your Device Control settings.
|
|
In Vista, smart cards can be used for logon
authentication as well as for use with the Encrypting File System. This
makes them very valuable. When you select your smart card vendor, make
sure that their products are compatible with Vista. Products compatible
with XP do not work with Vista because Microsoft has modified the logon
architecture in Vista. Use only certified products.
Then, when you're ready to perform your
deployment, you can control smart card behavior through Group Policy.
Smart Card settings by choosing Computer Configuration => Policies => Administrative Templates => Windows Components => Smart Cards. Use the procedure outlined under Device Controls to modify and apply the settings recommended in Table 5.
Table 5. Configuring Settings for Smart Cards in Group Policy
| Setting | Recommendation |
|---|
| Allow certificates with no extended key usage certificate attribute | Not configured |
| Allow Integrated Unblock screen to be displayed at the time of logon | Verify with hardware manufacturer before using this setting. |
| Allow signature keys valid for Logon | Not configured |
| Allow time invalid certificates | Not configured |
| Turn on certificate propagation from smart card | Enable to provide multiuse certificates. |
| Configure root certificate clean up | Not configured |
| Turn on root certificate propagation from smart card | Not configured |
| Filter duplicate logon certificates | Not configured |
| Force the reading of all certificates from the smart card | Not configured |
| Display string when smart card is blocked | Not configured |
| Reverse the subject name stored in a certificate when displaying | Enable to properly display user names. |
| Allow user name hint | Not configured |
Configuring Internet Explorer
Internet Explorer version 7 is much more
comprehensive than any previous version of IE. In fact, Windows Vista
lists 13 categories of settings under the Security Features of IE
(Computer Configuration => Policies => Administrative Templates => Windows Components => Internet Explorer => Security Features). These categories include:
Add-on management
Binary behavior security restriction
Consistent mime handling
Information bar
Local machine zone lock-down security
Mime sniffing safety feature
MK protocol security restriction
Network protocol lock down
Object caching protection
Protection from zone elevation
Restrict file download
Scripted Window security restrictions
Enable native XMLHTTP support
As such there are too many settings to list
here. The best recommendation is for you to take a close look at each of
the various security features you can control in IE and apply them
judiciously. This will let you create a secure IE environment.
NOTE
Perhaps the easiest way to do this is to look up the explanation of each feature online. If so, go to www.microsoft.com/windows/products/winfamily/ie/features.mspx for more information.
