microsoft platform security briefing
DESCRIPTION
TRANSCRIPT
You are in a workshop…
Not a training…
Who are we - Introductions
Ranjana JainIT Pro Evangelist – Platform SecurityMicrosoft IndiaMCSE, MCT, RHCE, CISSP, CIW Security Analyst
Srinivas LTechnology Specialist – Security Microsoft IndiaMCTS-Security, CCNA, CCNE, CNA
Gautam DuaSolution Specialist – Management and Security Microsoft IndiaMCSE, MCT
Evolving Threat Landscape
Local Area NetworksFirst PC virusBoot sector virusesCreate notorietyor cause havocSlow propagation16-bit DOS
1986–1995
Internet EraMacro virusesScript virusesCreate notorietyor cause havocFaster propagation32-bit Windows
1995–2000
BroadbandprevalentSpyware, SpamPhishingBotnetsRootkits Financial motivationInternet wide impact32-bit Windows
2000–2005
Hyper jackingPeer to PeerSocial engineeringApplication attacksFinancial motivationTargeted attacks64-bit Windows
2007
National Interest
Personal Gain
Personal Fame
Curiosity
Undergraduate Expert Specialist
Largest area by volume
Largest area by $ lost
Script-Kiddy
Largest segment by
$ spent on defense
Fastest growin
g segmen
t
Author• Vandal
Thief
Spy
Trespasser
Evolving Threats
Company understands the importance of security in the workplaceIndividuals know their role with security governance and complianceIT staff has the security skills and knowledge to support your business
Data privacy processes to manage data effectivelyIT security processes to implement, manage, and govern securityFinancial reporting processes that include security of the business
Addressing Security Threats
Helps turn IT into a business asset not a cost center Supports your day to day security processes Is the Enabler to running your business successfully
Tech
nolo
gy
Pro
cess
Peop
le
Microsoft’s Promises To YouManage Complexity,
Achieve Agility
Advance the Businesswith IT Solutions
Amplifythe Impact
of YourPeople
ProtectInformation,
ControlAccess
Delivering On The Promise:Infrastructure Optimization
*Source: Microsoft CSO Summit 2007 Registration Survey
Basic
No centralized enterprise directoryNo automated patch managementAnti-malwarenot centrally managedMessage security for e-mail onlyNo secure coding practices in place
Standardized
Using enterprise directory for authenticationAutomated patch management tools deployedAnti-malwareis managed centrallyUnified message security in place
Rationalized
Integrated directory services, PKIin placeFormal patch management processDefense in depth threat protectionSecurity extended to remote and mobile workforce
Dynamic
Full identity lifecycle management.ID Federation,Rights Mgt Services in useMetrics driven update processClient quarantine and access policy enforcement
Cost Center Strategic Asset
More Efficient Cost Center Business
Enabler
Source:GCR and IDC data analyzed by Microsoft, 2006
Core Infrastructure Optimization
$1320/PC Cost
$580/PC Cost
$230/PC Cost <$100/PC Cost
Core Infrastructure Optimization Model: SecurityTe
chn
olo
gy
Pro
cess
Peop
le
IT is astrategic assetUsers look to ITas a valued partner to enable new business initiatives
IT Staff manages an efficient,controlled environmentUsers have the right tools,availability, and access to info
IT Staff trained in best practices such as MOF,ITIL, etc.Users expect basic services from IT
IT staff taxed by operational challengesUsers come up with their ownIT solutions
Self-assessing and continuous improvementEasy, secure access to info from anywhereon Internet
SLAs are linkedto business objectivesClearly defined and enforced images, security, best practices
CentralAdmin and configurationof securityStandard desktop images defined,not adopted by all
IT processes undefinedComplexity dueto localized processesand minimal central control
Self provisioning and quarantine capable systems ensure compliance and high availability
Automate identity and access managementAutomatedsystem management
Multiple directories for authenticationLimited automated software distribution
Patch statusof desktopsis unknownNo unified directory for access mgmt
Basic StandardizedRationalized Dynamic
Impr
ove
IT M
atur
ity w
hile
Gai
ning
ROI
• Confidentiality
• Integrity• Availability
Secure
Usable
Cheap
•You get to pick any two!
Trustworthy Computing
DesignThreat Modeling
Standards, best practices, and tools
Security Push
Final Security Review RTM and Deployment
Signoff
Security Response
Product Inception
Security Development Lifecycle
Guidance
Developer Tools
SystemsManageme
nt
Identity
Management
Active Directory Federation Services
(ADFS)
WindowsCardSpace
Information
Protection
Encrypting File System (EFS)
BitLocker™
Services
Edge
Comprehensive Security Portfolio
Client and Server OS
Server Applicatio
ns
Network Access Protection (NAP)
Priority #1 - Platform Security
Security Development LifecycleSecurity Response CenterBetter Updates And Tools
Secure Platform
Secure Access
Data Protection
Rights Management Services (RMS) SharePoint, Exchange, Windows Mobile integration
Encrypting File System (EFS)Bitlocker
MalwareProtection
User Account ControlNetwork Access Protection (NAP)IPv6IPsec Windows CardSpace
Native smart card supportGINA Re-architectureCertificate ServicesCredential roaming
Security Development Lifecycle (SDL)Kernel Patch ProtectionKernel-mode Driver Signing
Secure StartupWindows Service Hardening
Windows DefenderIE Protected ModeAddress Space Layout Randomization (ASLR)Data Execution Prevention (DEP)
Bi-directional FirewallWindows Security Center
Security Development Lifecycle (SDL)Windows Server Virtualization (Hypervisor)Role Management ToolOS File Integrity
Secure Platform
Network Protection
IdentityAccess
Data Protection
Read-only Domain Controller (RODC)Active Directory Federation Srvcs. (ADFS)Administrative Role Separation
PKI Management ConsoleOnline CertificateStatus Protocol
Network Access Protection (NAP)Server and Domain Isolation with IPsecEnd-to-end Network AuthenticationWindows Firewall With Advanced Security
On By Default
Rights Management Services (RMS) Full volume encryption (Bitlocker)USB Device-connection rules with Group Policy
Improved AuditingWindows Server Backup
Physical and Infrastructure Security
Windows Firewall with Advanced
Security
Network Access Protection
Supports both inbound and
outbound filteringSet filtering policies by port, traffic type,
or applicationBuilt-in support for
IPv6, IPSec, and NAP policies
Windows Vista has built-in support for
NAPNAP Policies support
conditional exclusions so unhealthy clients
can connect to update servers to become compliant with established
policies
Windows Vista has built-in support for
IPSecWindows Vista IPSec
policies support NAP/NAC and
Domain IsolationIPSec policies
support conditional exclusions
IPSec
Identity and Access Control
Windows Security Center
Authentication Methods
Windows CardSpace
New deployment and management tools like PIN reset
toolsCommon API model
to help make it easier for smart card developers to make
new toolsImproved support for biometrics and
tokens
Manages Internet identities and allows
for user control of personally identifiable information
Allows users to view what personal
information will be shared and how it will
be used
Shows status of security software
and settingsMonitor multiple vendors’ security solutions running
on a computer and indicate which are enabled and
up-to-date
Identity and Access Control
Windows Defender
Internet Explorer 7
Malicious Software
Removal Tool
Scans computers for infections by specific
types of prevalent malware families
Updated versions are released each month or as needed when
new threats are discovered
Leverages UAC and improved
caching technology
integration for better
performanceIntegration with
IE7 allows downloaded files
to be scanned prior to saving or
execution
Protects against damage caused by
malware installations
IE processes are ‘sandboxed’ to protect against
infectionDesigned for security and compatibility
Malware Protection
Information Protection
BitLocker Drive
Encryption
Data Storage Group
Policies
Data encryption for volumes and hard
drivesUses AES encryption and integration with
Trusted Platform Module (TPM 1.2) to
secure data
Enforce data storage policies by controlling where users can store
dataPrevent data loss and theft by limiting what media can be used to
store sensitive information
User-based data encryption for files
and foldersEFS keys can be
stored on roaming profiles or on smart
cards
Encrypting File System
New Windows Firewall
Inbound and Outbound FilteringNew Management MMCIntegrated Firewall and IPsec PoliciesRule Configuration on Active Directory Groups and UsersSupport for IPv4 and IPv6Advanced Rule OptionsOn by Default (Beta 3)
D DD
Windows Service HardeningDefense In Depth – Factoring/Profiling
Reduce size of high risk layersSegment the servicesIncreases number of layers
Kernel DriversD DUser-mode Drivers
DD D
Service 1
Service 2
Service 3
Service…
Service …
Service A
Service B
Network Access Protection
Corporate LAN
NAP Network
Policy Server(Patch, AV)
RestrictedNetwork
PatchServer
Client requests access to network and presents current health state
1
2DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server
(RADIUS)3 Network Policy Server (NPS) validates against IT-defined
health policy
4If not policy compliant, client is put in a restricted VLAN and given access to download patches, configurations,
signatures (Repeat 1 - 4)5 If policy compliant, client is granted full access to
corporate network
1 2
3
4
5
WindowsClient
DHCP, VPNSwitch/Router
Microsoft NetworkPolicy Server
Not Policy
Compliant
PolicyComplian
t
BenefitsFeatures
Windows Server Core
Reduced Software
Maintenance
Limits the server roles used. Installs only a subset of the binaries. Only required features are installedCommand line interface, no GUI shellTakes about 1 GB for installation
Reduced Attack
Surface
Reduced Management
Less Disk Space Required
FeaturesS
erv
er
Core
Roles
Hardware Support Components – Disk, Network Adapter, etc.
DNS
DHCP
FileServer
Active Director
y
Infrastructure FeaturesCommand Shell, Domain Join, Event Log, Perform. Counter Infra., WS-Mgmt, WMI Infra, Licensing Service, WFP, HTTP Support, IPsec
Resolved Category Dependencies – HAL, Kernel, VGA, Logon, etc.
Core SubsystemsSecurity (Logon Scenarios) Networking (TCP/IP) , File Systems, RPC, Winlogon, Necessary Dependencies.
Thin Management Tools (Local and Remote)Configure IP Address, Join a Domain, Create Users, etc.
AD Lightweig
ht Directory Service
PrintServer
MediaService
s
Windows Virtualization Server
WINS SNMPBitLocker
Drive Encryption
Telnet Client
Failover Clusterin
g
Removable Storage
Management
Backup
Windows Server Core Architecture
Microsoft Security …
Consumer/ Small Business
Corporate
Client ProtectionServer Protection Edge Protection
Simple PC maintenanceAnti-Virus Anti-SpywareAnti-Phishing
FirewallPerformance TuningBackup and Restore
Protection Edge, server and client protection“Point to Point” SolutionsSecurity of data at rest and in transitMobile workforceManageability
Unified malware protection for business desktops, laptops, and server operating systems that is easy to manage and control
One spyware and virus protection solutionBuilt on protection technology based Effective threat response
UnifiedProtection
One simplified security administration consoleDefine one policy to manage client protectionagent settings Integrates with your existing infrastructure
SimplifiedAdminis-tration
One dashboard for visibility into threatsand vulnerabilitiesView insightful reportsStay informed with state assessment scansand security alerts
Visibilityand
Control
User Account Control
IE7 with Protected Mode
Randomize Address Space Layout
Advanced Desktop Firewall
Kernel Patch Protection (64bit)
Unified Virus & Spyware Protection
Central Management
Reporting, Alerting and State
Assessment
Infrastructure Software Integration
Policy Based Network
SegmentationRestrict-To-Trusted
Net Communications
Server and Domain Isolation
(SD&I)
Combined Solution
Windows Vista™
Forefront™ Client Security
Desktops, Laptops and Server Operating SystemsRunning Microsoft Forefront Client Security
MicrosoftUpdate SETTINGS REPORTS
ManagementServer
Reporting andAlerting Server
(OR ALTERNATE SYSTEM)
(OR ALTERNATE SYSTEM)
DEFINITIONS EVENTS
Operations Architecture
demoForefront Client Security
Tea/Coffee Break
ApplicationLayerSecurity
Gartner Magic Quadrant: E-Mail Security Boundary -Leader-
Internet
A
B
C
D
E
• Exchange Server/
Windows-based SMTP
Server
Distributed protectionPerformance tuningContent filteringCentral management
Anti-Virus For Application Servers
Optimized access for employees, partners, andcustomers from virtually any device or location
SecureRemot
eAccess
Enhanced connectivity and securityfor remote sites and applications
BranchOfficeSecurit
y
Increased resiliency for IT infrastructurefrom Internet-based threats
InternetAccess
Protection
Microsoft IAG For Secure Access
Customizable Enterprise Security SSL VPN access to internal applications Microsoft, third-party, and custom apps supported Granular access control rules Support for multiple authentication mechanisms
demoIntelligent Application Gateway
Lunch Break
Systems ManagementSuite Enterprise
Security and Management
• www.microsoft.com/security/guidance
Join Us…
http://delhiitpro.groups.live.comMail me: [email protected] Pro Momentum Program Technet Plus SubscriptionQuaterly VTD: http://www.ConnectWithLife.com
धन्यवा�दઆભા�ર ধন্য�বা�দ
ਧੰ�ਨਵਾ�ਦ
ଧନ୍ୟ�ବା�ଦ
நன்றி�
ధన్య�వాదాలు� ಧನ್ಯ�ವಾ�ದಗಳು
നി�ങ്ങള്ക്ക്� നിന്ദി�
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the
date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.