wave 14 - winodws 7 security story core by mvp azra rizal
DESCRIPTION
Winodws 7 Security Story CoreTRANSCRIPT
Azra RizalSecurity Advisor | DP&E | Microsoft Corporation
Enhance Security and Control
Fundamentally Secure Platform
Protect Users &
Infrastructure
Windows Vista Foundation
Streamlined User Account Control
Enhanced Auditing
Securing Anywhere
Access
Windows 7 Enterprise SecurityBuilding upon the security foundations of Windows Vista, Windows 7 provides
IT Professionals security features that are simple to use, manageable, and valuable.
Protect Data from
Unauthorized Viewing
Network Security
Network Access Protection
DirectAccessTM
AppLockerTM
Internet Explorer 8
Data Recovery
RMS
EFS
BitLocker
Windows Vista Foundation
Enhanced Auditing
Make the system work well for standard users
Administrators use full privilege only for administrative tasks
File and registry virtualization helps applications that are not UAC compliant
Streamlined User Account
Control
XML based
Granular audit categories
Detailed collection of audit results
Simplified compliance management
Fundamentally Secure Platform
Security Development Lifecycle process
Kernel Patch Protection
Windows Service Hardening
DEP & ASLR
IE 8 inclusive
Mandatory Integrity Controls
User Account ControlWindows Vista Windows 7
Streamlined UAC
User provides explicit consent before using elevated privilege
Disabling UAC removes protections, not just consent prompt
Challenges
Users can do even more as a standard user
Administrators will see fewer UAC Elevation Prompts
Customer Value
Reduce the number of OS applications and tasks that require elevation
Refactor applications into elevated/non-elevated pieces
Flexible prompt behavior for administrators
System Works for Standard User
All users, including administrators, run as Standard User by default
Administrators use full privilege only for administrative tasks or applications
Desktop AuditingWindows Vista Windows 7
Simplified configuration results in lower TCO
Demonstrate why a person has access to specific information
Understand why a person has been denied access to specific information
Track all changes made by specific people or groups
Enhanced Auditing
Granular auditing complex to configure
Auditing access and privilege use for a group of users
Challenges
New XML based events
Fine grained support for audit of administrative privilege
Simplified filtering of “noise” to find the event you’re looking for
Tasks tied to events
Network Security DirectAccessTM
Ensure that only “healthy” machines can access corporate data
Enable “unhealthy” machines to get clean before they gain access
Network Access Protection
Security protected, seamless, always on connection to corporate network
Improved management of remote users
Consistent security for all access scenarios
Securing Anywhere Access
Windows Firewall can coexist with 3rd party products
Multi-Home Profiles
DNSSec
Network Access ProtectionWindows 7
Health policy validation and remediation
Helps keep mobile, desktop and server devices in compliance
Reduces risk from unauthorized systems on the network Remediatio
nServers
Example: PatchRestrictedNetwork
WindowsClient
Policy complia
ntNPS
DHCP, VPNSwitch/Router
Policy Serverssuch as: Patch, AV
Corporate Network
Not policy
compliant
Remote Access for Mobile Workers Access Information Anywhere
Situation Today Windows 7 Solution
Same experience accessing corporate resources inside and outside the office
Seamless connection increases productivity of mobile users
Easy to service mobile PCs and distribute updates and polices
DirectAccessTM
Difficult for users to access corporate resources from outside the office
Challenging for IT to manage, update, patch mobile PCs while disconnected from company network
AppLockerTM Data Recovery
Protect users against social engineering and privacy exploits
Protect users against browser based exploits
Protect users against web server exploits
Internet Explorer 8
File back up and restoreCompletePC™ image-based backup System RestoreVolume Shadow CopiesVolume Revert
Protect Users & Infrastructure
Enables application standardization within an organization without increasing TCO
Increase security to safeguard against data and privacy loss
Support compliance enforcement
Application ControlSituation Today Windows 7 Solution
Eliminate unwanted/unknown applications in your network
Enforce application standardization within your organization
Easily create and manage flexible rules using Group Policy
AppLockerTM
Users can install and run non-standard applications
Even standard users can install some types of software
Unauthorized applications may:Introduce malwareIncrease helpdesk callsReduce user productivityUndermine compliance efforts
AppLockerTM
Technical Details
Simple Rule Structure: Allow, Exception & DenyPublisher Rules
Product Publisher, Name, Filename & Version
Multiple PoliciesExecutables, installers & scripts
Rule creation tools & wizardAudit only mode
Social Engineering & ExploitsReduce unwanted communications
Freedom from intrusionInternational Domain NamesPop-up Blocker in IE7Increased usability
Choice and controlClear notice of information useProvide only what is needed
Control of information User-friendly, discoverable noticesP3P-enabled cookie controlsDelete Browsing HistoryInPrivate™ Browsing & Blocking
Browser & Web Server ExploitsProtection from deceptive websites, malicious code, online fraud, identity theft
Protection from harm Secure Development LifecycleExtended Validation (EV) SSL certsSmartScreen® FilterDomain HighlightingXSS Filter/ DEP/NXActiveX Controls
Internet Explorer 8 SecurityBuilding on IE7 and addressing the evolving threat landscape
RMS BitLocker
User-based file and folder encryption
Ability to store EFS keys on a smart card
EFS
Easier to configure and deployRoam protected data between work and homeShare protected data with co-workers, clients, partners, etc.Improve compliance and data security
Protect Data from Unauthorized Viewing
Policy definitionand enforcement
Protects information wherever it travels
Integrated RMS Client
Policy-based protection of document libraries in SharePoint
Data Protection Scenarios
Scenario RMS EFSBitLockerT
M
Remote document policy enforcement
Protect content in transit
Protect content during collaboration
Local multi-user file & folder protection on a shared machine
Remote file & folder protection
Untrusted network administrator
Laptop protection
Branch office server
Local single-user file & folder protection
BitLockerSituation Today Windows 7 Solution
Extend BitLocker™ drive encryption to removable devices
Create group policies to mandate the use of encryption and block unencrypted drives
Simplify BitLocker setup and configuration of primary hard drive
BitLocker To GoTM
+
• Gartner “Forecast: USB Flash Drives, Worldwide, 2001-2011” 24 September 2007, Joseph Unsworth
• Gartner “Dataquest Insight: PC Forecast Analysis, Worldwide, 1H08” 18 April 2008, Mikako Kitagawa, George Shiffler III
2007 2008 2009 2010 20110
200400600800
10001200 Removable
Solid-State Storage Shipments
PCShip-ments
Worldwide Shipments (000s)
BitLockerTechnical Details
BitLocker EnhancementsAutomatic 200 Mb hidden boot partitionNew Key Protectors
Domain Recovery Agent (DRA)Smart card – data volumes only
BitLocker To GoTM
Support for FAT*Protectors: DRA, passphrase, smart card and/or auto-unlockManagement: protector configuration, encryption enforcement
Microsoft Confidential – NDA Only – Microsoft Preliminary Information
Fundamentally Secure Platform
Protect Users &
Infrastructure
Windows Vista Foundation
Streamlined User Account Control
Enhanced Auditing
Securing Anywhere
Access
Windows 7 Enterprise SecurityBuilding upon the security foundations of Windows Vista, Windows 7 provides
IT Professionals security features that are simple to use, manageable, and valuable.
Protect Data from
Unauthorized Viewing
Network Security
Network Access Protection
DirectAccessTM
AppLockerTM
Internet Explorer 8
Data Recovery
RMS
EFS
BitLocker
Microsoft Confidential – NDA Only – Microsoft Preliminary Information
AD RMS & DLP
Microsoft Confidential – NDA Only – Microsoft Preliminary Information
Convergence of DLP and RMSCentralized Policy
Policies Pushed into
Infrastructure
Identify and Classify Data
Leverage Controls to Protect Data
Block Warn RMS Monitor Enable
advance
d
work
flow
Microsoft Confidential – NDA Only – Microsoft Preliminary Information
First Step - RSA DLP Suite integrating with Microsoft AD RMS in DLP 6.5 Release (Dec 2008)
1. RMS admin creates RMS templates for data protection
2. RSA DLP admin designs policies to find sensitive data and protect it using RMS
3. RSA DLP discovers and classifies sensitive files4. RSA DLP applies RMS controls based on policy
• Automate the application of AD RMS protection based on sensitive information identified by RSA DLP• Leverage AD Groups for identity or group aware data loss prevention
Microsoft AD RMS
Legal Department
Outside law firm
Others
View, Edit, Print
View No Access
LegalContractsRMS
RSA DLP
Find Legal Contracts
Apply Legal Contracts RMS
ContractsDLP Policy
5. Users request files - RMS provides policy based access
Legal department
Outside law firm
Others
Laptops/desktops
File shares SharePoint
Microsoft Confidential – NDA Only – Microsoft Preliminary Information
Long term – Microsoft and RSA Building Information Protection into Infrastructure
Add-onPolicies
RSA DLPEndpoint
RSA DLP Enterprise Manager
Microsoft Information Protection Management
RSAMicrosoft
E-mail/UC
Endpoint Network Apps FS/CMS Storage
Built-in DLPClassificationand RMS Controls
Microsoft Environment and Applications
ComplementaryPlatforms andfunctionality
RSA DLPNetwork
RSA DLPDatacenter
• Common policies throughout infrastructure• Built-in approach to protect data based on content, context, identity• Future ready: Seamless upgrade path for current customers
Policies
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the
date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.