windows optimized desktop: enhance security & control
TRANSCRIPT
Windows Optimized Desktop: Enhance Security & Control
RICHARD TRUSSONCONSULTANT
Flexible Work-styles Digital Natives
Cost Versus Agility Compliance
Anywhere Access Desktop Control
Business InfrastructureUsers
IT Security Challenges
Windows Optimized Desktop
Make PeopleProductive Anywhere
Manage Risks Through Enhanced Security And Control
Reduce Costs By Streamlining PC
Management
Manage Risks ThroughEnhanced Security & Control
Make End Users Productive Anywhere
Manage Risks Through Enhanced Security And Control
Reduce Costs By Streamlined Pc Management
Protect Desktop &Mobile Resources
EnforceCompliance
More Secure Web Browsing
“We’ve always considered Internet Explorer to be the most secure browser—to meet our needs, it has to be.”
Peter Clarke, Chief Technology Officer for the Isle of Man Government
More Secure Web Browsing
Help protect against malware
Help prevent unauthorized information disclosure
Help prevent damage to your computer from security threats
Internet Explorer 8
Avoid phishing scams and malware - SmartScreen Filter alertsImproved user interface Faster performance New heuristics & enhanced telemetry Anti-Malware support Improved Group Policy support
Identify fake Web addresses - The domain name in the address bar is highlighted
Detect malicious code. The new Cross Site Scripting (XXS) Filter helps detect malicious code that's running on compromised Web sites.
Browse privately. InPrivate Browsing tells Internet Explorer not to record or save your browsing history, temporary Internet files, form data, cookies, and user names and passwords.
Internet Explorer 8
demo
Internet Explorer 8
Stay compliant with business and regulatory policies
Control, track and report on all software you are using
Ensure that computers comply with a defined, desired state
“We estimate that for each user affected by malicious software, we lose four hours of work time—and that’s conservative. By using AppLocker, we’re potentially saving hundreds of man hours each year.”
Jorge Ribeiro Ferreira, IT Consultant, Raona
Enhance Compliance
“[The] auditor was very impressed with the security provisions in place using Windows 7.”
Colin Rainey, Technical Manager, Novosco
AIS Features and Characteristics
Delivered through online service
Small unobtrusive client
Automatically collects Software inventory
Software reports
Export reports data to XLS, XML, PDF
Ideal for branch offices and roaming users
Agent Operation
Implemented as tasks in Windows schedulerNo resources consumed when not runningCan be installed on Windows 2000 SP4 or later
AIS 1.5 agent tasks:Run-once task for initial enrollmentDaily check for “inventory now” message
Can be run at most once/week from the serviceWe may add other service-initiated policies in a future version
Monthly automatic inventory uploadScheduled to run on day of install (or 28th if install on 29th-31st)Reschedules itself to 28 days later after successful scheduled runRetries failed uploads within 20 minutes with incremental back-offRetries missed tasks within an hour of boot
PerformanceService typically available for login within 1 day of activation on MVLS portalClient inventory data typically available in reports typically within one hour of agent installNegligible Impact on end-user machines
No overhead when agent isn’t runningTypical inventory collection time is about a minuteTypical inventory upload size is under 50 kbytes
UI support up to 20,000 clients per accountUI responsiveness deteriorates after thatRecommend using multiple accounts to manage more clientsWe will increase this limit in a future version of AIS
Security and Privacy of data
Multi-tenant service with account specific certificate in MSI ensures only your clients upload data to your partitionSSL provides server authentication and secure data uploadLive ID login provides authorized access to data
Your inventory data remains confidentialPublic privacy statement verified by leading privacy firm Jefferson Wells
Secure Software
Hosted by MS.COMRestricted physical access
Redundant systemsBackup
Secure Data Center
Privacy Policy
Asset Inventory Service
demo
Asset Inventory Service
More secure Operating System
Ensure data protection for mobile devices and storage
Control which devices may be connected to corporate PCs
Protect Desktop and Mobile Users
“Security enhancements in Windows 7 are our built-in safeguard against loss or theft of any device.”
Keon Yung Cho, Principal Engineer, Samsung
“More and more, our mobile workforce is looking to travel with less hardware, but the smaller the device, the more likely it is to be misplaced. Windows 7 gives us the peace of mind that our information is safe.”
Peter Menadue, Group General Manager, Dimension Data
Action Center - Security
FirewallAV reportsWindows UpdateSpyware / other malwareInternet Security SettingsUser Account ControlNetwork Access Protection (NAP)
BitLocker and BitLocker to Go
Requires TPM if need a PIN at start-upSystem volume only
Can also use USB key as 3rd protectorStore recovery password securely in ADControlled by GPOVolume EncryptionImproved setup andaccess
AppLocker
Management via GPOWhitelist – with deny/exception capabilityDefine rules Assign a rulesCreate exceptionsUse audit-only modeImport and export rules
AppLocker: Gotchas
Default is to deny everything! Help Desk calls will increase initially.Minimal performance hit due to runtime checks.Windows 7 or later only.AppLocker rules win over Software Restriction Policies – use separate GPOs if you need both.In Audit-Only mode rules are not enforced.
AppLocker and BitLocker to Go
demo
AppLocker
BitLocker to Go
Windows Optimized Desktop Products
ManagementInfrastructure
ServerInfrastructure
ClientInfrastructure
Atos Origin: deploying Windows® 7 to 50,000 client computers.
Sought improved support for its mobile workforce
Wanted to upgrade to Windows® 7 to help enhance data and network security, streamline IT management work, and reduce costs.
Pilot Windows 7 on 150 computers
Windows 7 features: BitLocker to Go™, AppLocker™, DirectAccess, and Internet Explorer 8
Plans to extend the deployment to all 50,000 computers
Help keep computers more secure by blocking unauthorized application downloads
Help keep the network more secure
IT staff can more easily manage and deploy software to remote computers
SolutionCustomer
Results/BenefitsCustomer Business Challenge
“For security to be effective, it must be invisible to users, and tests show that employees are often unaware of the Windows 7 security measures.”
James McMahon, Product Manager for Adaptive Workplace
Call to Action
Begin or Continue Your Windows 7 Deployment
Contact Your Account Team for More Information
Deploy MDOP Technologies Today
Test Your Applications for Windows 7
Additional Resources
Windows 7 Enterprise site: http://www.microsoft.com/windows/enterprise
Microsoft Desktop Optimization Pack http://www.microsoft.com/mdop
Case Studies http://www.microsoft.com/casestudies
Springboard Series for Technical Content, Evals http://www.microsoft.com/springboard
Talking About Windows http://www.TalkingAboutWindows.com
MDOP TechNet Site http://technet.microsoft.com/en-us/windows/bb899442.aspx
Windows Optimized Desktop Scenarios Guide http://technet.microsoft.com/en-us/library/dd334417.aspx
Business Value
IT Pros
Windows Server 2008 R2 http://www.microsoft.com/windowsserver2008r2
Microsoft Forefront http://www.microsoft.com/forefront
System Center http://www.microsoft.com/systemcenter
Microsoft Virtualization Solutions http://www.microsoft.com/virtualization
Complementary Products
Get the latest Windows 7 news http://www.windowsteamblog.com
Get the latest MDOP News http://blogs.technet.com/mdop
Windows Optimized Desktop Blog http://blogs.technet.com/od
Blogs
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the
date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.