robert nottoli - northwestern university · 2 dhcp, vpn or switch/router dhcp, vpn or switch/router...
TRANSCRIPT
Robert NottoliPrincipal Technology Specialist | Windows Server | Microsoft Corporation
Business ResultsBusiness Results& New Value& New Value
End User End User ProductivityProductivity
CustomerCustomerConnectionConnection
Keep BusinessKeep BusinessUp & RunningUp & Running
SecuritySecurityCompetitionCompetition
TechnologyTechnologyChangeChange
RegulatoryRegulatoryComplianceCompliance
CostCostReductionReduction
Client
ControlControlManage your Manage your environmentenvironment
AvailabilityAvailabilityMaximize uptime and Maximize uptime and productivityproductivity
FlexibilityFlexibilityFor your changing For your changing business needsbusiness needs
ClearClearUser ExperiencesUser Experiences
ConfidentConfidentSafe for users, Safe for users, easier for ITeasier for IT
ConnectedConnectedTo information, To information, people, devicespeople, devices
Server
Investing in the FundamentalsInvesting in the FundamentalsA solid foundation for your businessA solid foundation for your business
Challenges Windows Server Longhorn
ReliabilityAdvanced reliability enhancements to reduce loss of access, work, time, data and control
Performance and ScalabilityScalability advancements that enable you to deploy even the most demanding infrastructure for your business
SecurityDelivers a more robust & secure computing experience for PCs and Servers
Patch Management Applying security patches is time consuming and disruptive
Keep System RunningToo much time trying to keep things running and not enough time improving systems and adding business value
SecurityProtecting critical systems and high-valued data from unauthorized access and malicious code is job #1
Security, Security, Security, Security, SecuritySecurityScenarioScenario--focused focused Integrated Integrated innovationinnovationCompatibilityCompatibilityHeterogeneous Heterogeneous interoperabilityinteroperabilityEnabling broad Enabling broad industry ecosystem industry ecosystem and volume and volume economicseconomicsBest of breed Best of breed functionality for all functionality for all server workloadsserver workloads
Key Development Key Development TenetsTenets
Server FunctionsServer Functions
Operational InfrastructureOperational Infrastructure
SolutionsSolutions
Application PlatformApplication Platform
Information Worker Information Worker InfrastructureInfrastructure
ManagementManagement
WorkloadsWorkloads
Storage (file, portal)Storage (file, portal)PrintPrintEmail Email CollaborationCollaboration
Application/Web ServerApplication/Web ServerUnix integration servicesUnix integration servicesDatabaseDatabaseHigh Performance ComputingHigh Performance Computing
Software DistributionSoftware DistributionVirtualizationVirtualizationOperations ManagementOperations Management
General Purpose & EnterpriseGeneral Purpose & EnterpriseMedium BusinessMedium BusinessSmall BusinessSmall Business
NetworkingNetworkingRemote AccessRemote AccessSecuritySecurityIdentity ManagementIdentity ManagementTerminal ServerTerminal Server
WR-7
Slide 6
WR-7 Do we still really need this slide? Perhaps the promises slide will work better here with an emphasis on our tenantsWard Ralston, 5/7/2006
Security Features
DD DDDD
Windows Service HardeningWindows Service HardeningDefense In Depth Defense In Depth –– Factoring/ProfilingFactoring/Profiling
Reduce size ofReduce size ofhigh risk layershigh risk layersSegment theSegment theservicesservicesIncrease # Increase # of layersof layers
Kernel DriversKernel DriversDD
DD UserUser--mode Driversmode Drivers
DDDD DD
Service Service 11
Service Service 22
Service Service 33
ServiceService……
Service Service ……
Service Service AA
Service Service BB
Service Changes in Longhorn ServerService Changes in Longhorn Server
ServicesAccountServicesAccount
Windows XP SP2 / Server 2003 R2 Windows Vista / Longhorn Server
LocalSystem Wireless ConfigurationSystem Event NotificationNetwork Connections (netman)COM+ Event SystemNLARasautoShell Hardware DetectionThemesTelephonyWindows AudioError ReportingWorkstationICS
RemoteAccessDHCP ClientW32timeRasmanbrowser6to4Help and supportTask schedulerTrkWksCryptographic ServicesRemovable StorageWMI Perf AdapterAutomatic updatesWMIApp ManagementSecondary LogonBITS
LocalSystemFirewall Restricted
WMI Perf AdapterAutomatic updatesSecondary Logon
App ManagementWireless Configuration
LocalSystem BITS ThemesRasmanTrkWksError Reporting
6to4Task schedulerRemoteAccessRasautoWMI
Network ServiceFully Restricted
DNS ClientICSDHCP Client
browserServerW32time
Network ServiceNetwork Restricted
Cryptographic ServicesTelephony
PolicyAgentNlasvc
NetworkService
DNS Client Local ServiceNo Network Access
System Event NotificationNetwork ConnectionsShell Hardware Detection
COM+ Event System
Local Service SSDPWebClientTCP/IP NetBIOS helperRemote registry
Local ServiceFully Restricted
Windows AudioTCP/IP NetBIOS helperWebClientSSDP
Event LogWorkstationRemote registry
WR-4
Slide 9
WR-4 To me - this is a great slie to introduce why upgrades to Win2K are a security risk and we are not supporting....Ward Ralston, 5/7/2006
BitLockerBitLocker™™ Drive Encryption Drive Encryption
Designed specifically to Designed specifically to help prevent a thief who help prevent a thief who boots another Operating boots another Operating System or runs a hacking System or runs a hacking tool from breaking tool from breaking Windows file and system Windows file and system protectionsprotectionsSecure Startup Secure Startup -- Helps Helps provides data protection provides data protection on your Windows on your Windows systems, even when the systems, even when the system is in unauthorized system is in unauthorized hands hands Uses a v1.2 TPM or USB Uses a v1.2 TPM or USB flash drive for key storageflash drive for key storage
BitLockerBitLocker
BitLockerBitLocker™™ Features OverviewFeatures OverviewEnsures Boot Process IntegrityEnsures Boot Process Integrity
Protects the system from offline software based attacks.Protects the system from offline software based attacks.Protects data while the system is offlineProtects data while the system is offline
Encrypts entire Windows volume including both user data and systEncrypts entire Windows volume including both user data and system em files, the hibernation file, the page file and temporary files.files, the hibernation file, the page file and temporary files.
Force RecoveryForce RecoverySysSys--admin ONLY tool to securely speedadmin ONLY tool to securely speed--up PC reup PC re--deploymentdeployment
Eases Equipment Recycling Eases Equipment Recycling Single MS TPM driverSingle MS TPM driver
Improved stability and securityImproved stability and securityTPM Base Services (TBS) TPM Base Services (TBS)
Windows and 3Windows and 3rdrd party SW access to TPMparty SW access to TPMScenarios: Scenarios:
Lost or stolen laptopLost or stolen laptopBranchBranch--office Serveroffice ServerServer IntegrityServer Integrity
Code Integrity: OS File Code Integrity: OS File ProtectionProtectionValidates the integrity of the boot processValidates the integrity of the boot process
Checks kernel, HAL and bootChecks kernel, HAL and boot--start driversstart driversIf validation fails, image wonIf validation fails, image won’’t loadt load
Validates the integrity of each binary imageValidates the integrity of each binary imageImplemented as a file system filter driverImplemented as a file system filter driverChecks hashes for every page as itChecks hashes for every page as it’’s loadeds loadedChecks any image loading to a protected Checks any image loading to a protected processprocessHashes stored in system catalog or in X.509 Hashes stored in system catalog or in X.509 certificate embedded in filecertificate embedded in file
Controlling Device InstallationControlling Device InstallationAbility to block all new device installsAbility to block all new device installs
Can deploy a machine and allow no new Can deploy a machine and allow no new devices to be installeddevices to be installed
Set exceptions based on device class or Set exceptions based on device class or device IDdevice ID
Allow keyboards and mice to be added, but Allow keyboards and mice to be added, but nothing elsenothing elseAllow specific device IDs Allow specific device IDs Configurable via Group PolicyConfigurable via Group PolicySet at the computer levelSet at the computer level
Next Generation TCP/IPNext Generation TCP/IP
Improved security without need to Improved security without need to change the user experiencechange the user experienceGreater reliability for a more resilient, Greater reliability for a more resilient, easy to use and manage networking easy to use and manage networking experienceexperienceBetter scalability to meet growing Better scalability to meet growing connectivity demands and maximize connectivity demands and maximize server resources in a cost effective server resources in a cost effective mannermanner
Automatically adjusts for maximum Automatically adjusts for maximum efficiencyefficiencyOptimized performance without lossOptimized performance without lossCostCost--effectively scale networking up effectively scale networking up and outand outAdopt hardware acceleration and Adopt hardware acceleration and offloadingoffloading
Provide more efficient, scalable, highProvide more efficient, scalable, high--speed, more secure and manageable speed, more secure and manageable networkingnetworkingIntegrate new capabilities and functionality Integrate new capabilities and functionality to meet customer needsto meet customer needsReduce cost of ownershipReduce cost of ownershipImprove reliability and servicingImprove reliability and servicing
Reduce the risk of network security Reduce the risk of network security threatsthreatsSafeguard sensitive data and Safeguard sensitive data and intellectual propertyintellectual propertyFullFull--featured, enterprise featured, enterprise functionalityfunctionality
Motivation and Focus Benefits
Security Performance
Complete Redesign of TCP/IPComplete Redesign of TCP/IP
Inspection API
IPv4
802.3
WSK
WSK Clients TDI Clients
NDIS
WLAN Loop-back
IPv4 Tunnel
IPv6 Tunnel
IPv6
RAWUDPTCPNext Generation TCP/IP Stack (tcpip.sys)
AFDTDXTDI
Winsock User ModeKernel Mode
DualDual--IP layer architecture for native IPv4 and IPv6 supportIP layer architecture for native IPv4 and IPv6 supportSeamless security through expanded Seamless security through expanded IPsecIPsec integrationintegrationImproved performance via hardware accelerationImproved performance via hardware accelerationNetwork autoNetwork auto--tuning and optimization algorithmstuning and optimization algorithmsGreater extensibility and reliability through rich APIsGreater extensibility and reliability through rich APIs
A Short List of New FeaturesA Short List of New FeaturesTechnologies Security Experience Scalability
IPsec XX
VPN Routing Compartments XX
Windows Filtering Platform (WFP) XX XX
Secure Sockets API XX
IPv6 XX
TCP Chimney XX
TCP-A (I/OAT) XX
Receive Side Scaling (RSS) XX
Receive Window Auto-Tuning XX XX
Compound-TCP (CTCP) – Congestion Control XX XX
Wireless Reliability XX
Black-Hole Router Detection (BHRD) XX
Dead Gateway Detection XX
Network Diagnostics Framework/Extended TCP Statistics XX
Policy-based Quality of Service (eQoS) XX XX
Windows FirewallWindows Firewallwith Advanced Securitywith Advanced Security
Combined firewall and Combined firewall and IPsecIPsec managementmanagementNew management tools New management tools –– Windows Firewall with Advanced Windows Firewall with Advanced Security MMC snapSecurity MMC snap--in in Reduces conflicts and coordination overhead between Reduces conflicts and coordination overhead between technologiestechnologies
Firewall rules become more intelligentFirewall rules become more intelligentSpecify security requirements such asSpecify security requirements such asauthentication and encryptionauthentication and encryptionSpecify Active Directory computerSpecify Active Directory computeror user groupsor user groups
Outbound filteringOutbound filteringEnterprise management feature Enterprise management feature ––not for consumersnot for consumers
Simplified protection policySimplified protection policyreduces management overheadreduces management overhead
Windows Server 2003 SetupWindows Server 2003 SetupPostPost--Setup Security UpdatesSetup Security UpdatesManage Your ServerManage Your ServerConfigure Your Server WizardConfigure Your Server WizardAdd/Remove Windows ComponentsAdd/Remove Windows ComponentsComputer ManagementComputer ManagementSecurity Configuration WizardSecurity Configuration Wizard
Windows Server 2003Windows Server 2003Installing, securing, and managing server roles Installing, securing, and managing server roles fragmented across multiple toolsfragmented across multiple tools
Longhorn Server Setup PhasesLonghorn Server Setup Phases
OS Setup
Initial Configuration Tasks
Server Manager
Server ManagerServer ManagerProvides a great, outProvides a great, out--ofof--thethe--box experience for adding, box experience for adding, configuring, and managing server rolesconfiguring, and managing server roles
1. 1. Out of box experience (OOBE)Out of box experience (OOBE)Walks the user through the tasks necessary to Walks the user through the tasks necessary to complete setup and complete setup and operationalizeoperationalize the serverthe server
2. 2. Single experience for configuring LH ServerSingle experience for configuring LH ServerSteps the user through adding and removing server Steps the user through adding and removing server roles and features securelyroles and features securely
3. 3. Portal for ongoing managementPortal for ongoing managementDisplay server status, expose key management tasks, Display server status, expose key management tasks, and guide the user to advanced management toolsand guide the user to advanced management tools
Network Access ProtectionNetwork Access ProtectionHow it worksHow it works
Not policy Not policy compliantcompliant
11
RestrictedRestrictedNetworkNetwork
Client requests access to network and presents current Client requests access to network and presents current health statehealth state
11
44If not policy compliant, client is put in a restricted VLAN If not policy compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, and given access to fix up resources to download patches, configurations, signatures (Repeat 1 configurations, signatures (Repeat 1 -- 4)4)
22 DHCP, VPN or Switch/Router relays health status to DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS)Microsoft Network Policy Server (RADIUS)
55 If policy compliant, client is granted full access to corporate If policy compliant, client is granted full access to corporate networknetwork
MSFT NPS MSFT NPS
33
Policy ServersPolicy Serverse.g. Patch, AVe.g. Patch, AV
Policy Policy compliantcompliant
DHCP, VPNDHCP, VPNSwitch/Router Switch/Router
33 Network Policy Server (NPS) validates against ITNetwork Policy Server (NPS) validates against IT--defined defined health policyhealth policy
22
WindowsWindowsClientClient
Fix UpFix UpServersServerse.g. Patche.g. Patch
Corporate NetworkCorporate Network55
44
NAP NAP -- Enforcement OptionsEnforcement OptionsEnforcement Healthy Client Unhealthy Client
DHCP Full IP address given, full access Restricted set of routes
VPN (MS and 3rd
Party) Full access Restricted VLAN
802.1X Full access Restricted VLAN
IPsec
Can communicate with any trusted peer
Healthy peers reject connection requests from unhealthy systems
Complements layer 2 protectionWorks with existing servers and infrastructureFlexible isolation
NAP BenefitsNAP BenefitsSupport Benefit
Built-in client Windows Vista, XP No need to deploy/license 3rd party clientUpdates via WUS / WSUS / SMS
Flexible enforcement
DHCP, VPN, 802.1x, Terminal Services, Server and Domain isolation
Works with today’s & tomorrow’s networksEnables risk-benefit trade offs
3rd party enforcement
All major switch / router / firewall / VPN
Customers can use any network or security infrastructure vendor
Health assessment
SMS, WUS, SecurityCenter, 3rd
party
Seamless integration with Windows infrastructure
Works with any AV, patch or endpoint security solution
User experience
Integrated with Vista glass. Branding supported.
Polished look and feel tailored for the customer environment
Management Integration with SMS, AD, Group Policy and MOM for client, server and service operations
Complete policy based administration and operation
DemoDemo
Investing in the Fundamentals Investing in the Fundamentals
Security Security Threat modeling, tools, testing and code review Threat modeling, tools, testing and code review Secure startup with Secure startup with BitLockerBitLocker drive encryptiondrive encryptionService hardening and user access controlService hardening and user access control
ReliabilityReliabilityHotHot--pluggable subsystems and selfpluggable subsystems and self--healing file systemhealing file systemServer core and composite roles require fewer rebootsServer core and composite roles require fewer rebootsRestart manager and Restart manager and restartablerestartable Active DirectoryActive Directory
PerformancePerformanceRedesigned TCP/IP stack for better bandwidth useRedesigned TCP/IP stack for better bandwidth useOptimized virtualization platformOptimized virtualization platformSupport for 64x64Support for 64x64--bit cores and 1TB RAMbit cores and 1TB RAM
GoalsGoalsCommon ServicesCommon ServicesCommon ExperiencesCommon ExperiencesIntegrated InnovationsIntegrated Innovations
3 Step Process3 Step ProcessGather requirements, prioritize and create specificationsGather requirements, prioritize and create specificationsReview products at three milestones Review products at three milestones ––product definition, beta, and RTMproduct definition, beta, and RTM
Product release Product release -- Go/No Go DecisionGo/No Go Decision
Publish report for reviewed products at public betaPublish report for reviewed products at public betaExternal Publication of ReportExternal Publication of Report
TransparencyTransparencyPredictabilityPredictability
ReadRead--only DC value propositiononly DC value propositionAttack surface has been reduced for DCs in physically Attack surface has been reduced for DCs in physically unsecured locationsunsecured locations
Impact of stolen DC to the Active Directory reducedImpact of stolen DC to the Active Directory reducedBy default, no usersBy default, no users\\computers passwords stored on RODCcomputers passwords stored on RODC
Attack surface to the Active Directory for a compromised DC has Attack surface to the Active Directory for a compromised DC has been reducedbeen reduced
ReadRead--only stateonly state
Unidirectional replication for AD and FRSUnidirectional replication for AD and FRS\\DFSRDFSR
Each RODC has its own KDC Each RODC has its own KDC KrbTGTKrbTGT accountaccount
Very limited rights to write in DirectoryVery limited rights to write in Directory
RODCsRODCs are workstation accounts, no EDC or DDC group membershipare workstation accounts, no EDC or DDC group membership
Easier management and configuration of DCs in branch Easier management and configuration of DCs in branch officesoffices
Most AD branch office guide recommendations enabled by defaultMost AD branch office guide recommendations enabled by default
ReadRead--only DConly DCDemoDemo: How RODC mitigates : How RODC mitigates ““stolen DCstolen DC””
Hub Admin perspectiveAttacker perspective
RODC deployment prerequisitesRODC deployment prerequisitesSummarySummary: Works in existing environments!!!: Works in existing environments!!!No patching to downNo patching to down--level level DCsDCs or clients or clients neededneeded
No domain restructuringNo domain restructuringMay be able to consolidate bridgehead serversMay be able to consolidate bridgehead servers
Incremental RequirementsIncremental RequirementsMust be in Win2003 Forest Functional ModeMust be in Win2003 Forest Functional Mode
Linked value replication reduces lost updatesLinked value replication reduces lost updatesRODCsRODCs require constrained delegationrequire constrained delegation
PDC FSMO must be running LonghornPDC FSMO must be running LonghornTo ensure uniqueness of RODC Kerberos TGT To ensure uniqueness of RODC Kerberos TGT accountsaccountsPDC FSMO understands RODC accounts for PDC FSMO understands RODC accounts for secure channelsecure channel
Recommend multiple LH Recommend multiple LH DCsDCs per domainper domainTo load balance RODC replicationTo load balance RODC replication
1 RODC per domain per site supported1 RODC per domain per site supportedWriteable LH DC and RODC can coexistWriteable LH DC and RODC can coexistRODCs from different domains can coexistRODCs from different domains can coexist
Admin Role Separation: Admin Role Separation: OverviewOverviewProblem:Problem:
Customers have too many Domain Customers have too many Domain AdminsAdminsMost of these DAs are really server Most of these DAs are really server adminsadmins (patch (patch management, etc)management, etc)
Solution:Solution:Provides a new Provides a new ““local administratorlocal administrator”” level of level of access per RODCaccess per RODC
Also includes all Also includes all BuiltinBuiltin groups (Backup Operators, groups (Backup Operators, etc)etc)
Prevents accidental AD modifications by Prevents accidental AD modifications by machine administratorsmachine administratorsDoes Does notnot prevent prevent ““local administratorlocal administrator”” from from maliciously modifying the local DBmaliciously modifying the local DB
What is Server Core?What is Server Core?Part of the Part of the ““Windows ServerWindows Server”” SKU, available SKU, available as an install optionas an install optionDelivers the core set of server OS Delivers the core set of server OS functionalityfunctionalityCan boot and operate standCan boot and operate stand--alone in alone in headless/embedded scenariosheadless/embedded scenariosPart of an overall Windows/LH Server Part of an overall Windows/LH Server infrastructure solutioninfrastructure solution
Tying it all togetherTying it all togetherServer Core + Restartable ADServer Core + Restartable AD
Reduced reboots for servicingReduced reboots for servicing
Server Core + RODC + Admin Role Server Core + RODC + Admin Role SeparationSeparation
The ultimate secure appliance domain The ultimate secure appliance domain controllercontroller
Authentication EnhancementsAuthentication EnhancementsNew logon architectureNew logon architecture
GINA (the old Windows logon model) is gone. GINA (the old Windows logon model) is gone. Third parties can add biometrics, oneThird parties can add biometrics, one--time time password tokens, and other authentication password tokens, and other authentication methods to Windows with much less codingmethods to Windows with much less coding
Easier Smart Card DeploymentsEasier Smart Card DeploymentsDrivers and Certificate Service Provider (CSP) Drivers and Certificate Service Provider (CSP) included in Windows Vista and Windows included in Windows Vista and Windows UpdateUpdateLogin and credential prompts for User Account Login and credential prompts for User Account Control all support Smart CardsControl all support Smart Cards
Credential ProvidersCredential ProvidersTechnology IntroductionTechnology IntroductionCredential Providers replace GINACredential Providers replace GINACredential Providers plug in to Logon UICredential Providers plug in to Logon UI
Logon UI can interact simultaneously with Logon UI can interact simultaneously with multiple credential providersmultiple credential providersCredential Providers can be user selectedCredential Providers can be user selectedand/orand/or event drivenevent driven
Inbox Credential ProvidersInbox Credential ProvidersPasswordPasswordSmart Card Smart Card
What Credential Providers cannot doWhat Credential Providers cannot doReplace the UI for the logon screenReplace the UI for the logon screen
Credential ProvidersCredential ProvidersValue PropositionValue Proposition
Easier to write a Credential Provider than it Easier to write a Credential Provider than it was to write a GINAwas to write a GINA
LogonUILogonUI and CredUI provide all UIand CredUI provide all UIWinlogon handles Winlogon handles LSALogonUserLSALogonUser and and Terminal Services supportTerminal Services supportCredential providers simply define credentials Credential providers simply define credentials and use and use LogonUILogonUI to gather the data to gather the data Uses COM to interact with Uses COM to interact with LogonUILogonUI and and CredUICredUI
Other Security Features Other Security Features Redesigned/ImprovedRedesigned/Improved
ADFSADFSPKI ImprovementsPKI ImprovementsIndigoIndigo--Common Development PlatformCommon Development PlatformClaims aware applicationsClaims aware applicationsWeb SSOWeb SSORMS 2.0RMS 2.0Group PolicyGroup Policy
© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.