jayesh mowjee security consultant microsoft session code: sia 201
Post on 19-Dec-2015
225 Views
Preview:
TRANSCRIPT
Windows 7 Security Overview
Jayesh MowjeeSecurity ConsultantMicrosoftSession Code: SIA 201
Fundamentally Secure
Platform
Windows 7 Enterprise SecurityBuilding upon the security foundations of Windows Vista,
Windows 7 provides IT Professionals security features that are simple to use, manageable, and valuable.
Protect Data from
Unauthorized Viewing
Securing Anywhere
Access
Protect Users &
Infrastructure
Windows Vista Foundation
Enhanced Auditing
Make the system work well for standard users
Administrators use full privilege only for administrative tasks
File and registry virtualization helps applications that are not UAC compliant
Streamlined User Account Control
XML based
Granular audit categories
Detailed collection of audit results
Simplified compliance management
Fundamentally Secure Platform
Security Development Lifecycle process
Kernel Patch Protection
Windows Service Hardening
DEP & ASLRInternet Explorer 8 inclusive
Mandatory Integrity Controls
User Account ControlWindows Vista Windows 7
Streamlined UAC
User provides explicit consent before using elevated privilegeDisabling UAC removes protections, not just consent prompt
Challenges
Users can do even more as a standard userAdministrators will see fewer UAC Elevation Prompts
Customer Value
Reduce the number of OS applications and tasks that require elevationRe-factor applications into elevated/non-elevated piecesFlexible prompt behavior for administrators
System Works for Standard UserAll users, including administrators, run as Standard User by defaultAdministrators use full privilege only for administrative tasks or applications
Desktop AuditingWindows Vista
Simplified configuration results in lower TCODemonstrate why a person has access to specific informationUnderstand why a person has been denied access to specific informationTrack all changes made by specific people or groups
Enhanced Auditing
Granular auditing complex to configureAuditing access and privilege use for a group of users
Challenges
New XML based eventsFine grained support for audit of administrative privilegeSimplified filtering of “noise” to find the event you’re looking forTasks tied to events
Windows 7
UAC & Auditdemo
Network Security DirectAccess
Help ensure that only “healthy” machines can access corporate data
Enable “unhealthy” machines to get clean before they gain access
Network Access Protection
Security enhanced, seamless, always on connection to corporate network
Improved management of remote users
Helping Secure Anywhere Access
Policy based network segmentation for more secure and isolated logical networks
Multi-Home Firewall Profiles
DNSSec Support
Network Access ProtectionWindows 7
Health policy validation and remediationHelps keep mobile, desktop and server devices in complianceReduces risk from unauthorized systems on the network Remediation
ServersExample: UpdateRestricted
Network
WindowsClient
Policy compliantNPS
DHCP, VPNSwitch/Router
Policy Serverssuch as: Update, AV
Corporate Network
Not policy compliant
Remote Access for Mobile Workers Access Information Virtually Anywhere
Situation Today Windows 7 Solution
Same experience accessing corporate resources inside and outside the officeSeamless connection increases productivity of mobile usersEasy to service mobile PCs and distribute updates and polices
DirectAccess
Difficult for users to access corporate resources from outside the officeChallenging for IT to manage, update mobile PCs while disconnected from company network
AppLockerTM Data Recovery
Help protect users against social engineering and privacy exploits
Help protect users against browser based exploits
Help protect users against web server exploits
Internet Explorer 8
File back up and restoreCompletePC™ image-based backup System RestoreVolume Shadow CopiesVolume Revert
Help Protect Users & Infrastructure
Enables application standardization within an organization without increasing TCO
Support compliance enforcement
Application ControlSituation Today Windows 7 Solution
Eliminate unwanted/unknown applications in your networkEnforce application standardization within your organizationEasily create and manage flexible rules using Group Policy
AppLocker
Users can install and run non-standard applicationsEven standard users can install some types of softwareUnauthorized applications may:
Introduce malwareIncrease helpdesk callsReduce user productivityUndermine compliance efforts
AppLockerTechnical Details
Simple Rule Structure: Allow, Exception & DenyPublisher Rules
Product Publisher, Name, Filename & Version
Multiple PoliciesExecutables, installers, scripts & DLLs
Rule creation tools & wizardIncluding PowerShell cmdlets
Audit only modeSKU Availability
AppLocker – EnterpriseLegacy SRP – Business & Enterprise
AppLockerdemo
Social Engineering & ExploitsReduce unwanted communications
Freedom from intrusion International Domain NamesPop-up BlockerIncreased usability
Choice and controlClear notice of information useProvide only what is needed
Control of information User-friendly, discoverable noticesP3P-enabled cookie controlsDelete Browsing HistoryInPrivate™ Browsing & Filtering
Browser & Web Server ExploitsProtection from deceptive websites, malicious code, online fraud, identity theft
Protection from harmSecure Development LifecycleExtended Validation (EV) SSL certsSmartScreen® FilterDomain HighlightingXSS Filter/ DEP/NX ClickJacking PreventionActiveX® Controls
Internet Explorer 8 SecurityBuilding on IE7 and addressing the evolving threat landscape
RMS BitLocker
User-based file and folder encryption
Ability to store EFS keys on a smart card
EFS
Easier to configure and deployRoam protected data between work and homeShare protected data with co-workers, clients, partners, etc.
Help Protect Data
Policy definitionand enforcement
Helps protect information wherever it travels
Integrated RMS Client
BitLockerSituation Today Windows 7 Solution
Extend BitLocker drive encryption to removable devices
Create group policies to mandate the use of encryption and block unencrypted drives
Simplify BitLocker setup and configuration of primary hard drive
BitLocker To Go
Dual partition configuration of primary hard drive for IT
End user friendliness and discoverability
Corporate control over ubiquitous, cheap, small, high capacity removable storage devices
Challenges
+
BitLockerTechnical Details
BitLocker EnhancementsAutomatic 100 Mb hidden boot partitionNew Key Protectors
Domain Recovery Agent (DRA)Smart card – data volumes only
BitLocker To GoSupport for FAT*Protectors: DRA, passphrase, smart card and/or auto-unlockManagement: protector configuration, encryption enforcementRead-only access on Windows Vista & Windows XPSKU Availability
Encrypting – EnterpriseUnlocking – All
BitLockerdemo
Fundamentally Secure Platform
Protect Users & Infrastructure
Windows Vista Foundation
Streamlined User Account Control
Enhanced Auditing
Helping Secure Anywhere
Access
Windows 7 Enterprise SecurityBuilding upon the security foundations of Windows Vista®, Windows® 7 provides IT Professionals
security features that are simple to use, manageable, and valuable.
Help Protect
Data
Network Security
Network Access Protection
DirectAccessTM
AppLockerTM
Internet Explorer® 8
Data Recovery
RMS
EFS
BitLocker ™ & BitLocker To GoTM
question & answer
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
top related