bring your own device demo maak een windows to go stick
TRANSCRIPT
Windows 8 After & BeyondRaymond P. L. Comvalius
About the speaker
Raymond P. L. ComvaliusConsultant, trainer and authorMVP Windows Expert IT Pro sinds 2011
@nextxpert
Text/Icon/Pic
About this session
After & Beyond
Windows to Go
User Environment Virtualization
User Account Control
Enhanced Protected Mode
1.033 slides
5 demos
0 minutes of Q&A
100% cloud free
Bring Your Own Device
Windows to Go
Start Windows 8 vanaf USB-stick
Liefst USB 3.0 voor performance
Blokkeer interne schijvenDriversDirect AccessBitLocker
Waarom niet op JOU computer?
Building Windows to Go
ToolsDiskpartDISMBcdBootWindows 8 ImageNotepad
Text/Icon/Pic
DemoMaak een Windows to Go stick
User Environment Virtualization
User State Virtualization?
2009 White Paper:Folder RedirectionOffline FoldersRoaming Profiles
User Environment Virtualization
2012: New addition to MDOPUE-V (Hoe spreek ik dit uit?)MS alternatief voor roaming profilesIntegratie met App-V en Remote Desktop
UE-V requirements• OS:• Windows 7• Windows Server 2008 R2• Windows 8• Windows 8 Server
• A shared folder per user• A shared folder for SettingsTemplates• Offlline Files for offline use• UE-V Agent Software on the client
UE-V Management• UE-V Generator• XML Settings template
• Tools• WMI• Registry• PowerShell
Text/Icon/Pic
Built-in Templates• Office 2010• IE9 & 10• Windows Settings• Themes• Ease of Access
• Windows Accessoires• Notepad• Paint• Wordpad• Etc.
Triggers• Windows• Log on & Log off• Lock & Unlock• Remote Session start
• Applications• Application Start & Stop
UE-V Pro’s & Con’s• Pro• Eindelijk white list voor
roaming settings• Weinig vereisten• Simpel te implementeren
• Con• Weinig settings templates• Niet in het OS• Beperkt tot bestanden in
%userprofile%• Kopieert alleen statische
informatie
DemoUser Environment Virtualization
User Account Control
Windows User Types
• The Administrator• The account named ‘administrator’
• An Administrator• Your name with administrator privileges
• Protected Administrator• AKA: ‘Administrator in Admin Approval Mode’
• Standard User• Your name without administrator privileges
User-SID
Standardizing the User Token
Create a token objectAct as part of the operating system Take ownership of files and other objects Load and unload device driversBack up files and directoriesRestore files and directoriesImpersonate a client after authentication Modify an object labelDebug programs
AdministratorsBackup OperatorsPower UsersNetwork Configuration Operators
Group Policy Creator OwnersSchema AdminsEnterprise AdminsDenied RODC Password Replication Group
Local/Builtin Group SIDs
Domain Group SIDs
Mandatory Label
Rights/Privileges
DemoAnalyse van het User Access Token
User Account Control – “Best Practice”• Uitschakelen• Metro Apps doen het niet meer• IE verliest “Protected Mode”
• Password to Elevate• Kans voor malware
Integrity Levels• Mandatory Access Control• Levels are part of the ACLs and Tokens• Lower level object has limited access to higher level objects• Used to protect the OS and for Internet Explorer Protected
Mode
System High Medium(Default)
Low
Services Administrators
Standard Users
IE Protected Mode
Standardizing the User Token
Integrity level: High (Elevated Token)
Integrity level: Medium
User-SID
Local/Builtin Group SIDs
Domain Group SIDs
Mandatory Label
Rights/Privileges
IE protected mode• Only with User Account Control enabled• iexplore.exe runs with Low Integrity Level• User Interface Privilege Isolation (UIPI)
Internet Explorer 8
Internet Explorer 9
IE Broker mechanismiexplore.exe
Protected-mode Broker Object
UI frame Favorites BarCommand
Bar
iexplore.exe (tab process 1)
Browser Helper Objects
Toolbar Extensions
ActiveX Controls
Tab 1 Tab n
iexplore.exe (tab process n)
Browser Helper Objects
Toolbar Extensions
ActiveX Controls
Tab 1 Tab n
Low Integrity LevelProtected Mode = On
Medium Integrity LevelProtected Mode = Off
Inte
rnet/
Intra
net
Truste
d S
ites
DemoIntegrity Levels
Enhanced Protected Mode• Preventie tegen cross-zone attacks • “Cross-Site-Request-Forgery (CSRF)”• “Intranet Port Scanning”
• Standaard in Metro Internet Explorer• Bescherming van Intranet resources• 127.0.0.1 vs localhost
AppContainer• Voor programmeurs in de Metro UI• Vooraf moet bekend zijn wat Apps mogen:
• documentLibrary• musicLibrary• videoLibrary• picturesLibrary• microphone• Webcam• removableStorage• Location• Proximity
• internetClient• internetClientServer• textMessaging• privateNetworkClient• privateNetworkClientServe
r• certificates
DemoEnhanced Protected Mode
Samenvatting
Defining the business case
Form factorsMetro InterfaceSecurityApps
Text/Icon/Pic
Weet waar je aan begint
Client Operating System (Windows 8)
Hardware
Drivers
IE
HD- encr
Firewall
Office Middle ware
Layered apps Business app
s Base apps
AV Mgt
Agents
LAN Wifi 3G
Remote
Access
Internet
Access
SCCM
AV Mgt
Remote
Desktop
App-V
Mail Intranet
Unified Comm
s
AD
PKI
File Svc
Print Svc
Deploy
Infra Services
Werkplek
Profile Mgt
Config
Q&A