windows 7 by microsoft
DESCRIPTION
TRANSCRIPT
Microsoft Windows 7 Microsoft Windows 7 SecuritySecurity
Ronen Gottlib, CISSPInformation Security LeadMicrosoft
Enhance Security & Control
Protect Users & Infrastructure
AppLocker™ (Windows 7 Enterprise) controls what applications run
Internet Explorer 8 helps keep users safe
online
Protect Data on PCs & Devices
BitLocker To Go™ (Windows 7 Enterprise) protects data
on removable drivesBitLocker™ simplifies encryptions and key
management for all drives
Build on Windows Vista Security Foundation User Account Control prompts
lessSecurity Development Lifecycle
for defense in depth
Data Protection
Protect data on internal and removable drives
Mandate the use of encryption with Group Policies
Store recovery information in Active Directory for manageability
Simplify BitLocker setup and configuration of primary hard drive
•BitLocker To Go™ (Windows 7 Enterprise)
•Worldwide Shipments (000s)
Gartner “Forecast: USB Flash Drives, Worldwide, 2001-2011” 24 September 2007, Joseph Unsworth
Gartner “Dataquest Insight: PC Forecast Analysis, Worldwide, 1H08” 18 April 2008, Mikako Kitagawa, George Shiffler III
•++
Application Control
Eliminate unwanted/unknown applications in your network
Enforce application standardization within your organization
Easily create and manage flexible rules using Group Policy
•AppLocker™ (Windows 7 Enterprise)
Users can install and run unapproved applications
Even standard users can install some types of software
Unauthorized applications may:Introduce malwareIncrease helpdesk callsReduce user productivityUndermine compliance efforts
Advanced Group Policy Management
Enable group policy change management
Provides granular administrative control
Reduce risk of widespread failure
Versioning, history & rollback of group policy changes
Role-based administration & templates
Flexible delegation model
What it Does Benefits
•Enhancing group policy through change management
Today’s Challenges
Network Access Protection
o Unprotected network taps within an organization’s buildings
o Administrators have limited control over the health of systems joining the network
o Result: hardware/network upgrades and increased operational costs, reduced productivity
Solution: end-to-end, authenticated, tamper-resistant communication
o Improved isolation using IPSec
o Network access protection across IPSec, 802.1X, DHCP, VPN
o Increased manageability
Forefront UAG 2010Forefront UAG 2010DirectAccess and RDGDirectAccess and RDG
Idan PlotnikSecurity EngineerForefront MVP
Help us to help you to help others …
A word on wording
• In Windows 7 / Windows Server 2008 R2, Terminal Service (TS) was renamed to Remote Desktop Services (RDS)
• Other terminology changes:
− Terminal Services Gateway (TSG) Remote Desktop Gateway (RDG)
− Terminal Services Server Remote Desktop Session Host
− TS Broker RD Connection Broker
How SSLVPN works …
RD/TS is published by tunneling itstraffic without IAG or any other SSLVPN
being able to control the traffic.
IAGIAGRD/TS RD/TS ClientClient
(MSTSC)(MSTSC)
RD Session RD Session HostHost
(TS Server)(TS Server)
HTTPS TunnelHTTPS Tunnel
RDPRDP
What’s new in UAG
In UAG RD/TS client traffic goes over HTTPS.
The HTTPS tunnel is terminated at UAG,therefore, we can inspect the traffic.The traffic is then passed to the backend
RDSession Host using the RDP protocol.UAGUAG
++RDGRDG
RD/TS RD/TS ClientClient
(MSTSC)(MSTSC)
RDP over RDP over HTTPSHTTPS RDPRDP
RD Session RD Session HostHost
(TS Server)(TS Server)
New functionality
DirectAccess
• Providing seamless, secure access to enterprise resources from anywhere
Always On• Always connected• No user action
required• Adapts to changing
networks
Secure
• Encrypted by default• 2 Factor AuthN• Strong
Authentication!− Computer AuthN− User AuthN
• Granular access control
• Coexists with existing edge, health, and access policies
Manageable• Reach out to previously untouchable machines• Allows remote clients to process Group Policies• Ongoing updates (AV/WSUS etc …) from the
internal infrastructure• NAP integration for health compliance• Consolidate Edge Infrastructure
VPN vs. DirectAccess - Value
Forefront UAG Forefront UAG DirectAccessDirectAccess
DirectAccess ClientDirectAccess Client(Windows 7)(Windows 7)
InternetInternet
Native IPv6Native IPv6
6to46to4
TeredoTeredo
IP-HTTPSIP-HTTPS
Tunnel over IPv4 UDP, Tunnel over IPv4 UDP, HTTPS, etc.HTTPS, etc.
Encrypted IPsec+ESPEncrypted IPsec+ESP
Enterprise Enterprise NetworkNetwork
Forefront UAG Forefront UAG DirectAccessDirectAccess
Line of Business Line of Business ApplicationsApplications
No IPsecNo IPsec
IPsec Integrity IPsec Integrity Only (Auth)Only (Auth)
IPsec Integrity IPsec Integrity + Encryption+ Encryption
Windows Server 2003Windows Server 2003Windows Server 2008Windows Server 2008Non-Windows ServerNon-Windows Server
3 Deployment Models
End-to-Edge encryption
No overhead of encryption on application serversEdge enforces machine/user authentication and data encryptionLeast change from existing edge deployments
Trusted, compliant,Trusted, compliant,healthy machinehealthy machine
Windows 7 clientWindows 7 clientApplications & Data(non-IPsec enabled)
DC & DNS(Server 2008 SP2/R2)
Internet
Forefront UAG Forefront UAG DirectAccessDirectAccess
IPsec ESP tunnel encryption using machine cert (DC/DNS IPsec ESP tunnel encryption using machine cert (DC/DNS access)access)
Clear Text traffic from client flows through Clear Text traffic from client flows through encrypted tunnel to Corporate network encrypted tunnel to Corporate network resourcesresources
IPsec ESP tunnel encryption using IPsec ESP tunnel encryption using UserKerb/Health Cert/Smartcard for broad UserKerb/Health Cert/Smartcard for broad network accessnetwork access
Corporate
Network
End-to-Edge Encryption + End to End IPsec
No overhead of encryption on application servers (just authentication)DirectAccess Edge Encryption combined with End to End IPsec Server and Domain
Isolation
Trusted, compliant,Trusted, compliant,healthy machinehealthy machine
Windows 7 clientWindows 7 client
Corporate
Network
Applications & Data
IPsec-enabled
Internet
IPsec ESP-Null AuthIP Transport Traffic flows IPsec ESP-Null AuthIP Transport Traffic flows through through
encrypted tunnel to Corporate network encrypted tunnel to Corporate network resourcesresources
Forefront UAG Forefront UAG DirectAccessDirectAccess
IPsec ESP tunnel encryption using IPsec ESP tunnel encryption using UserKerb/Health Cert/Smartcard for broad UserKerb/Health Cert/Smartcard for broad
network accessnetwork access
IPsec ESP tunnel encryption using machine cert (DC/DNS IPsec ESP tunnel encryption using machine cert (DC/DNS access)access)
DC & DNS(Server 2008 SP2/R2)
End-To-End IPsec Transport Encryption
Thin edge solution using IPsecDenial of Service Protection (DoSP) Service only allows IPSec & ICMP
trafficFull End to End IPsec EncryptionIP-HTTPS tunnel used for proxy scenarios only
Trusted, compliant,Trusted, compliant,healthy machinehealthy machine
Windows 7 clientWindows 7 client
Corporate Network
Applications & Data
IPsec-enabled
Internet
IPsec ESP-encrypted transport to IPsec ESP-encrypted transport to access Corporate network access Corporate network
resourcesresources
Forefront Forefront UAG UAG
DirectAccesDirectAccesss
DC & DNS(Server 2008 SP2/R2)
IPv6IPv6
IPv6IPv6Always OnAlways On
Windows7Windows7
IPv4IPv4
IPv4IPv4
IPv4IPv4
Forefront UAGForefront UAGDirectAccessDirectAccess
Extend support Extend support to IPv4 serversto IPv4 servers
UAG improves adoption and extends access to existing infrastructureUAG improves adoption and extends access to existing infrastructure
Extends access to LOB servers with IPv4 supportAccess for down level and non Windows clients
Enhances scalability and managementSimplifies deployment and administration
Hardened Edge Solution
MANAGEDMANAGED
VistaVistaXPXP
UNMANAGEDUNMANAGED
Non Non WindowsWindows
PDAPDA
DirectAccessDirectAccess
SSL VPNSSL VPN
UAG provides access for down level and non Windows clientsUAG provides access for down level and non Windows clientsUAG enhances scale and management with integrated LB and array capabilities.UAG enhances scale and management with integrated LB and array capabilities.UAG uses wizards and tools to simplify deployments and ongoing management.UAG uses wizards and tools to simplify deployments and ongoing management.UAG is a hardened edge appliance available in HW and virtual optionsUAG is a hardened edge appliance available in HW and virtual options
Windows7Windows7
DEMO