• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Windows 2008 R2 Security

Windows 2008 R2 Security






Total Views
Views on SlideShare
Embed Views



2 Embeds 21

http://www.slideshare.net 20
http://translate.googleusercontent.com 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • In Windows 7 we are fixing that. A new approach to networking so the user has the same experience in the office that they have outside the office. Anytime you have Wi-Fi, you have corpnet access too. Great IT benefits: while you are connected, IT can apply group policy, updates, and remote assistance. The connectivity goes both ways.One of the goals of Windows 7 is to enable users to access the information that they need whether they are in or out of the office. In the past few years, Microsoft has made getting to email from outside the office easier.  First, we had Outlook Web Access, so we could access email through the web. Then we introduced RPC over HTTP, which just requires an Internet connection to connect to the Exchange server.But users still have a challenge when accessing resources that are inside the corporate network. For example users cannot open the links to an internal Web site or share included in an email. The most common method to access these resources is VPN. VPN can be hard to use for users because it takes time and multiple steps to initiate the VPN connection and wait for the PC to be authenticated from the network. Hence, most remote users try to avoid VPN’ing as much as possible and stay disconnected from corporate network for as long as they can. At this point we run into a chicken-egg problem: Since remote users are disconnected, IT cannot manage them while away from work – remote users stay more out of date and it gets harder and harder to access corporate resources… With the capabilities Windows 7 enables, users who have internet access will be automatically connected to their corporate network. A user who is sitting on a coffee shop can open his laptop, connect to the internet using the wireless access of the coffee shop and start working as if he is in the office. The user in this case will be able to not only use outlook, but also work with intranet sites, open corporate shares, use LOB applications, and basically have full access to corporate resources. This solution is also very appealing to IT Professionals:Managing mobile PCs has always been an issue since they could be disconnected from the corporate network for a long time. With this work access solution, as long as they have internet connectivity, users will be on corporate network. Servicing mobile users (such as distributing updates and Group Policy) is easier since they can be accessed more frequently by IT systems.Deploying Windows 7 will not automatically enable this type of work access connection. You will have the choice to enable it or not and it will require some changes to your backend network infrastructure, including having at least one server running Windows Server 2008 R2 at the edge of your network. The solution takes advantage of Microsoft’s investments in IPSEC and IPv6 to provide secure connectivity even when not on the physical corporate network. This feature requires Windows 7 Enterprise on the client PC.

Windows 2008 R2 Security Windows 2008 R2 Security Presentation Transcript

  • Windows 2008 R2 Security
    Amit Gatenyo
    Infrastructure & Security Manager, Dario
    Microsoft Regional Director - Windows Server & Security
  • Agenda
    Service Hardening
    RDS Gateway
    AD Recycle Bin
    Managed Service Accounts
  • Service Hardening
    Windows 7/Server 2008 R2
    Windows® XP SP2/Server 2003 R2
    Firewall Restricted
    Network Service
    Network Service
    Fully Restricted
    Local Service
    Network Service
    Network Restricted
    Local Service
    No Network Access
    Local Service
    Fully Restricted
  • Service Hardening Summary
  • Windows Firewall w/ Advanced Security
    Firewall rules become more intelligent
    Policy-based networking
    Combined firewall and IPsec management
  • Windows Firewall Summary
  • BitLocker Drive Encryption
    Full Volume Encryption Key (FVEK)
    Encryption Policy
    Group Policy allows central encryption policy and provides Branch Office protection
    Provides data protection, even when the system is in unauthorized hands or is running a different or exploiting Operating System
    Uses a v1.2 TPM or USB flash drive for key storage
  • BitLocker Encryption Types
  • DirectAccess
    Remote access is now ubiquitous
    Comprehensive anywhere access for Windows 7 and Windows Server 2008 R2
    Seamless, always-on, secure connectivity; no separate client software required
    Utilizes networking technologies already in Windows Server 2008
    No separate action required to connect to corpnet while remote. Corpnet is simply there.
    Leverages policy-based network access
    Enables desktop management regardless of client location.
  • DirectAccess
    IPv4 Devices
    IPv6 Devices
    Support IPv4 via 6to4 transition services or NAT-PT
    IT desktop management
    DirectAccess provides transparent, secured access to intranet resources without a VPN
    Native IPv6 with IPSec
    Allows desktop management of DirectAccess clients
    AD Group Policy, NAP, software updates
    IPv6 Transition Services
    Supports direct connectivity to IPv6-based intranet resources
    Supports variety of remote network protocols
    Allows IPSec encryption and authentication
    Windows 7 Client
  • AD Rights Management Services
    AD RMS protects access to an organization’s digital files
    Improved installation and administration experience
    Self-enrollment of the AD RMS cluster
    Integration with AD Federation Services
    New AD RMS administrative roles
    RMS Server
    Information Author
    The Recipient
  • Protected emails
  • Apply Permissions to New Email
  • Add userswith Readand Changepermissions
    Verify aliases& DLs via AD
    Add advanced permissions
  • Add/removeadditional users
    Set expiration date
    Enableprint, copypermissions
    Contact forpermissionrequests
    Enable viewing viaRMA
  • Read-Only Domain Controller
    Main Office
    Branch Office
    Read Only Active Directory Database
    Only allowed user passwords are stored on RODC
    Unidirectional Replication
    Role Separation
    Increases security for remote Domain Controllers where physical security cannot be guaranteed
  • PKI Enhancements
    Online Certificate Status Protocol (OSCP)
    Enterprise PKI (PKIView)
    Web Enrollment
    Network Device Enrollment Service
  • Cryptography Next Generation
    Cryptography Next Generation (CNG)
    Includes algorithms for encryption, digital signatures, key exchange, and hashing
    Supports cryptography in kernel mode
    Supports the current set of CryptoAPI 1.0 algorithms
    Support for elliptic curve cryptography (ECC) algorithms
    Perform basic cryptographic operations, such as creating hashes and encrypting and decrypting data
  • CNG vs CAPI
  • Terminal Services Gateway
    Perimeter Network
    Corporate Network
    Strips off RDP / HTTPs
    RDP traffic passed to TS
    Tunnels RDP over HTTPs
    Internal Firewall
    External Firewall
    Terminal Servers and other RDP Hosts
    Remote/ Mobile User
    Terminal Services Gateway
    Network Policy Server
    Active Directory DC
  • Remediation
    Example: Patch
    Corporate Network
    Network Access Protection
    Policy Servers
    such as: Patch, AV
    Not policy compliant
    Policy compliant
    If not policy compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, configurations, signatures (Repeat 1 - 4)
    DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS)
    Network Policy Server (NPS) validates against IT-defined health policy
    If policy compliant, client is granted full access to corporate network
    Client requests access to network and presents current health state
  • NAP Enforcement Methods
    Internet Protocol security (IPsec)-protected communications
    IEEE 802.1X-authenticated network connections
    Remote access virtual private network (VPN) connections
    Dynamic Host Configuration Protocol (DHCP) configuration
  • Recycle Bin for ADCustomer can undo an accidental deletion in Active Directory
    Past limitations
    Accidental object deletion causes business downtime – deleted users cannot logon or access corporate resources
    Accidental deletions are the number #1 cause of AD DisasterRecovery scenarios
    Feature takeaway
    Recycle bin for AD DS and AD LDS objects
    Feature enabled with a new forest functional level
    Requires all DCs in the forest to be Windows Server 2008 R2 DCs
    For AD LDS, all replicas must be running in a new ‘application mode’
  • Recycle Bin for AD Object Life-cycle
    180 Days
    Tombstone Object
    Garbage collection
    Live Object
    Windows Server 2008
    Returns Tombstones
    LDAP OID 1.2.840.113556.1.4.417
    Windows Server 2008 R2 with Recycle Bin enabled
    (If not enabled, behavior is similar to Windows Server 2008)
    LDAP OID 1.2.840.113556.1.4.2064
    Returns Deleted
    Returns Deleted and Recycled
    Garbage collection
    Live Object
    Deleted Object
    Recycled Object
    180 Days
    180 Days
  • Managed Service AccountsSimple management of service accounts
    Past limitations
    Management of individual accounts for services is cumbersome
    Periodic maintenance often causes outages
    Example: resetting service account password
    Feature takeaway
    A manageable solution that addresses isolation needs for services
    Better SPN management in Win7 Domain Functional Mode
    Lower TCO from reduced service outages (for manual password resets and related issues)
    One Managed Service Account per Service per box
    No human intervention for password management!
  • Thank You!
    Amit Gatenyo
    Infrastructure & Security Manager, Dario
    Microsoft Regional Director - Windows Server & Security