0
CLI-309<br />
Do Not Delete This Slide<br />We appreciate hearing from you. To send your feedback, click the following link and type you...
MicrosoftWindows 7 Enhanced Security and Control<br />Level 300<br />
What Will We cover?<br />Fundamentally Secure Platform<br />Helping Secure Anywhere Access<br />Protecting Data<br />Prote...
Agenda<br />Reviewing Windows 7 Security Goals<br />Protecting Desktop Users<br />Examining Data Protection<br />Exploring...
Windows 7 Enterprise Security<br />Fundamentally Secure Platform<br />Secure Anywhere Access<br />Protect Data from Unauth...
Fundamentally Secure Platform<br />Windows Vista Foundation<br />Simplified User Account Control (UAC)<br />Enhanced Audit...
Agenda<br />Reviewing Windows 7 Security Goals<br />Protecting Desktop Users<br />Examining Data Protection<br />Exploring...
User Account Control<br />Challenges<br />User provides explicit consent<br />Disabling UAC removes protections<br />Simpl...
Re-factor applications into elevated and non-elevated pieces
Flexible prompt behavior</li></ul>Customer Value<br /><ul><li>Standard users can do more
Administrators will see fewer UAC elevation prompts</li></li></ul><li>AppLocker<br />Challenges<br />Users can install and...
Enforce application standardization within your organization
Easily create and manage flexible rules using Group Policy</li></li></ul><li>AppLocker<br />
AppLocker - Notes<br />
Demonstration Environment<br />
Add AppLocker Default Rules<br />Create AppLocker Executable Rule Using Group Policy<br />Create an AppLocker Windows Inst...
Internet Explorer 8 Security<br />Freedom from Intrusion<br /><ul><li>Social engineering and exploits
Reduce unwanted communications</li></ul>Protection from Harm<br /><ul><li>Browser and Web server exploits
Protection from deceptive Web sites, malicious code, online fraud, identity theft</li></ul>Control of Information<br /><ul...
Clear notice of information use
Provide only what is needed</li></li></ul><li>Internet Explorer 8 Security - Notes<br />Freedom from Intrusion<br /><ul><l...
Reduce unwanted communications</li></ul>Protection from Harm<br /><ul><li>Browser and Web server exploits
Protection from deceptive Web sites, malicious code, online fraud, identity theft</li></ul>Control of Information<br /><ul...
Clear notice of information use
Provide only what is needed</li></li></ul><li>Agenda<br />Reviewing Windows 7 Security Goals<br />Protecting Desktop Users...
Protect Data from Unauthorized Viewing<br />Active Directory® Rights Management Services (RMS)<br /><ul><li>Policy definit...
Protects information wherever it travels
Integrated RMS client</li></ul>Encrypting File System (EFS)<br /><ul><li>User-based file and folder encryption
Ability to store EFS keys on a smart card</li></ul>BitLocker™<br /><ul><li>Easier to configure and deploy
Upcoming SlideShare
Loading in...5
×

Microsoft Windows 7 Enhanced Security And Control

3,289

Published on

This session will explore Windows 7 core platform security improvements, securing anywhere access, data protection, and protecting desktop users. We will explain how Windows 7 features in each of these areas provide the foundation for secure and reliable platform. We will discuss User Account Control improvements, enhanced auditing, Network Access Protection (NAP), Firewall improvements, Applocker, Bitlocker and Bitlocker to go enhancements, Direct Access, Internet Explorer 8 security improvements, and EFS enhancements.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,289
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
104
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Slide Title: FeedbackKeywords: Key Message: Slide Builds: 0Slide Script: Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information:
  • Slide Title: Windows 7 Enterprise SecurityKeywords: Windows 7, SecurityKey Message: Windows 7 builds upon the great security enhancements pioneered in Windows Vista.Slide Builds: 3Slide Script: Windows 7 builds upon the great security enhancements pioneered in Windows Vista and responds to customer feedback to make the system more usable and manageable. User Account Control, or UAC, has been simplified and auditing has been enhanced.[BUILD1] Windows 7 provides the appropriate security controls so that users can access the information they need to be productive, whenever they need it, whether they are in the office or not. Network security and Network Access Protection, or NAP, have been improved, and DirectAccess enables remote users to access the corporate network anytime they have an Internet connection, without the extra step of initiating a virtual private networking, or VPN, connection.[BUILD2] Windows 7 extends BitLocker Drive Encryption to help protect data stored on portable media; for example, USB flash drives and USB portable hard drives, so that only authorized users can read the data, even if the media is lost, stolen, or misused. [BUILD3] Windows 7 provides flexible security protection against malware and intrusions so that users can achieve their desired balance of security, control, and productivity. AppLocker is a flexible, easily administered mechanism that enables IT professionals to specify exactly what users are allowed to run on their desktops. It provides the flexibility to allow users to run the applications, installation programs, and scripts they need to be productive. Internet Explorer 8 delivers improved protection against security and privacy threats, including the ability to help identify malicious sites and block the download of malicious software. Slide Transition: Lets see exactly what makes Windows 7 a fundamentally secure platform.Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://technet.microsoft.com/en-us/magazine/2009.05.win7.aspx
  • Slide Title: Fundamentally Secure PlatformKeywords: Windows 7, SecurityKey Message: Windows 7 is a secure platform.Slide Builds: 2Slide Script: Fundamental security features such as Kernel Patch Protection, Service Hardening, Data Execution Prevention, Address Space Layout Randomization, and Mandatory Integrity Levels continue to provide enhanced protection against malware and attacks. Windows 7 is designed and developed using the Microsoft Security Development Lifecycle (SDL), and it is engineered to support Common Criteria requirements to achieve Evaluation Assurance Level 4 certification and meet Federal Information Processing Standard 140-2. From the solid security foundation of Windows Vista, Windows 7 makes significant enhancements to the core security technologies of event auditing and User Account Control.[BUILD1] User Account Control (UAC) was introduced in Windows Vista to help increase security and improve total cost of ownership by enabling the operating system to be deployed without administrative privileges. Windows 7 continues the investment in UAC with specific changes to enhance the user experience–from reducing the number of operating system applications and tasks that require administrative privilege to a flexible consent prompt behavior for users who continue to run with administrative privilege. The result? Standard users can do even more than ever before and all users will see fewer prompts. [BUILD2] Windows 7 provides enhanced audit capabilities to make it easier for an organization to meet their regulatory and business compliance requirements. Slide Transition: The next item on our agenda is more secure anywhere access.Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://technet.microsoft.com/en-us/library/dd560691.aspx
  • Slide Title: User Account ControlKeywords: User Account ControlKey Message: Overview of UAC.Slide Builds: 1Slide Script: In Windows 7, UAC functionality is improved to increase the number of tasks that the standard user can perform that do not prompt for administrator approval. It will allow a user with administrator privileges to configure the UAC experience in the Control Panel. UAC provides additional local security policies that enable a local administrator to change the behavior of the UAC messages for local administrators in Admin Approval mode. And finally, it provides additional local security policies that enable a local administrator to change the behavior of the UAC messages for standard users. [BUILD1] The improvements to UAC in Windows 7 and Windows Server 2008 R2 result in an improved user experience when configuring and troubleshooting your computer. By default, standard users and administrators access resources and run applications in the security context of standard users. When a user logs on to a computer, the system creates an access token for that user. The access token contains information about the level of access that the user is granted, including specific security identifiers (SIDs) and Windows privileges. When an administrator logs on, two separate access tokens are created for the user: a standard user access token and an administrator access token. The standard user access token contains the same user-specific information as the administrator access token, but the administrative Windows privileges and SIDs have been removed. The standard user access token is used to start applications that do not perform administrative tasks.When the user runs applications that perform administrative tasks (administrator applications), the user is prompted to change or "elevate" the security context from a standard user to an administrator, called Admin Approval mode. In this mode, the administrator must provide approval for applications to run on the secure desktop with administrative privileges. Slide Transition: Windows AppLocker is a new feature in Windows 7 and Windows Server 2008 that replaces the Software Restriction Policies feature. Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://technet.microsoft.com/en-us/library/cc709691.aspx
  • Slide Title: AppLockerKeywords: AppLockerKey Message: Configuring AppLocker.Slide Builds: 1Slide Script: To configure AppLocker:First you need to configure rule enforcement. The default setting is Enforce rules but allow the settings to be overridden; you need to change this to the Enforce rules setting. The default setting will need to be changed on each set of AppLocker rules you wish to enforce. The three types of rules are Executable rules, Windows Installer rules, and Script rules.AppLocker includes default rules that you can generate to allow parts of the operating system to run. For Executable rules, three default rules are created. The first default rule allows members of the Everyone group to execute programs in the Program Files folder. The next default rule allows members of the Everyone group to execute programs in the Windows folder. The last default rule allows local administrators to execute all programs.  You can choose to keep all these default rules, or you can delete rules that may interfere with new rules you want to create in your organization. For example, if you wanted to allow only certain programs in the Program Files folder to run, you would delete the default rule for the Program Files folder and create new rules to allow only the programs to want to run. Windows Installer rules and Script rules also have default rules you can create.After you create a new rule, you need to ensure that the Application Identity service is running. If this service is not running, AppLocker will not enforce rules.
  • [BUILD1] To create a new rule: There are three types of rules you can create using AppLocker: Publisher rule, Path rule, and File Hash rule. Publisher rules make it possible to build rules that survive application updates by being able to specify attributes such as the version of an application. For example, an organization can create a rule to “allow all versions greater than 9.0 of the program Acrobat Reader to run if it is signed by the software publisher Adobe.” Now, when Adobe updates Acrobat, you can safely push out the application update without having to build another rule for the new version of the application. Path rules allow you to create a rule for a specific file or folder path. You can use the File Hash option to create a rule for an application that is not signed.To create a Publisher rule, you need to browse for a signed file to use as a reference for the rule. Once the reference file has been selected, the properties will be automatically populated. You can modify these properties according to how you wish to create the rule. In addition, you can create exceptions to the rule. For example, if you wish to create a Publisher rule that will allow users to run Microsoft Office system 2007, except you don’t want them to be able to run Office PowerPoint 2007, you would create an exception for Office PowerPoint.Slide Transition: Before our first demo, lets take a look at the demonstration environment. Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://technet.microsoft.com/en-us/library/dd560656.aspx
  • Slide Title: Demonstration EnvironmentKeywords: Demonstration EnvironmentKey Message: Describe the demonstration environment being used.Slide Builds: 0Slide Script: The presenter’s demonstration computer will contain two virtual machines named SEA-DC-01 and SEA-WRK-001. The two machines will be able to communicate with each other, but will not be able to communicate with the Internet, or with other host computers or the virtual machines running on them. The following is a network diagram of the computers used in this session.Slide Transition: The first demonstration will cover configuring AppLocker.Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information:
  • Slide Title: IE8 SecurityKeywords: IE8, securityKey Message: Internet Explorer 8 security overview. Slide Builds: 2Slide Script: Internet Explorer 8 delivers improved protection against security and privacy threats, including the ability to help identify malicious sites and block the download of malicious software. Privacy is enhanced through the ability to surf the Web without leaving a trail on a shared computer, and through increased choice and control over how Web sites can track user actions. Internet Explorer 8 also helps inspire confidence and trust through improved restrictions for ActiveX controls, enhanced add-on management, improved reliability (including automated crash recovery and tab restoration), and enhanced support for accessibility standards. Internet Explorer 8 provides freedom from intrusion by limiting social engineering and exploits, and it reduces unwanted communications. New in Internet Explorer 8 is a feature that allows Web site content owners to put a tag in a page header that will help prevent ClickJacking, a type of cross-site request forgery. ClickJacking encompasses multiple techniques that can be used to trick Web users into unwittingly clicking an obscured or hidden Web element, usually resulting in an unwanted transaction. Internet Explorer 8 will detect sites that insert the tag and give users a new error screen indicating that the content host has chosen not to allow their content to be framed, and giving users the option to open the content in a new window.[BUILD1] Internet Explorer 8 protects the user from harm. Built upon the Microsoft Phishing Filter, the SmartScreen Filter helps protect customers against a broader set of phishing threats and helps protect from sites that attempt to download malicious software. The SmartScreen Filter is easy to use with enhanced user interface and warning messages to reduce users’ click-through to confirmed sites.
  • Internet Explorer 8 helps protect customers and systems from attacks that can lead to information disclosure, cookie stealing, account or identity theft, or other attempts to masquerade as the user without permission. XSS attacks have emerged as a leading exploit against Web servers and Web applications. Internet Explorer 8 has an XSS filter that is able to dynamically detect type-1 XSS (reflection) attacks. Per-site ActiveX reduces attack surface by providing an implicit SiteLock (a tool for restricting access to a specific domain), so that controls may run only from their point of installation by default. This enables users and administrators to manage where a given ActiveX Control is allowed to run. Per-user ActiveX allows developers to write their ActiveX controls so that when a user installs them, they are installed only for that user and not for all users on the system, providing a level of protection for other users against malicious or badly written controls.[BUILD2] Internet Explorer 8 helps you control your information. Internet Explorer 8 enhances the Delete Browsing History feature by providing the ability to delete some cookies, browsing history, and other data while preserving cookies, browsing history, and other data for favorite sites. InPrivate helps to protect people’s data and privacy from being retained locally on the computer they are using. This protects against third parties who might be in a position to track a consumer’s online activities. Consumers have the ability to use either of the features (InPrivate Blocking or InPrivate Filtering) independently. When activated, InPrivate Browsing helps ensure that browsing history, temporary Internet files, and cookies are not recorded on a computer after browsing. When you use InPrivate Browsing, toolbars and extensions are automatically disabled, and browsing history is automatically deleted when the browser is closed. InPrivate Filtering helps protect privacy by enabling the consumer to filter content coming from third parties that are in a position to track and aggregate their online behavior. Users are provided with notice, choice, and control of which third parties to allow and which ones to filter.Slide Transition: Let’s move on to the third agenda item.Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://www.microsoft.com/windows/internet-explorer/features/safer.aspx
  • [BUILD2] BitLocker Drive Encryption functionality in Windows 7 delivers an improved experience for IT professionals and end users, including the ability to right-click a drive to enable BitLocker protection, automatic creation of the required hidden boot partition, and improved key management. Windows 7 also introduces BitLocker To Go, which provides data protection for removable storage devices, such as USB flash drives. Slide Transition: Let’s look at some specific BitLocker enhancements.Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://technet.microsoft.com/en-us/library/cc700811.aspx
  • Slide Title: BitLockerKeywords: BitlockerKey Message: Overview of Bitlocker.Slide Builds: 0Slide Script: Windows 7 addresses the continued threat of data leakage with manageability and deployment updates to BitLocker Drive Encryption and the introduction of BitLocker To Go. Windows 7 enhances data protection against data theft and exposure by extending BitLocker support to removable storage devices. By extending support for BitLocker to FAT data volumes, a broader range of disk formats and devices can be supported, including USB flash drives and portable disk drives. This enables users to deploy BitLocker for a broader range of data protection needs. Whether you are traveling with your laptop, sharing large files with a trusted partner, or taking work home, BitLocker- and BitLocker To Go-protected devices help ensure that only authorized users can read the data, even if the media is lost, stolen, or misused. Best of all, BitLocker protection is easy to deploy and intuitive for the end user–all while helping to improve compliance and data security. BitLocker To Go also gives administrators control over how removable storage devices can be utilized within their environment and the strength of protection that they require. Administrators can require data protection for any removable storage device that users want to write data upon, while still allowing unprotected storage devices to be utilized in a read-only mode. Policies are also available to require appropriate passwords, smart card, or domain user credentials to utilize a protected removable storage device. Finally, BitLocker To Go provides configurable read-only support for removable devices on older versions of Windows, enabling you to more securely share files with users who are still running Windows Vista and Windows XP. Slide Transition: Windows 7 provides enhanced audit capabilities to make it easier for an organization to meet their regulatory and business compliance requirements. Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://technet.microsoft.com/en-us/windows/aa905065.aspx
  • Slide Title: Desktop AuditingKeywords: Windows 7, AuditingKey Message: Windows 7 provides enhanced audit capabilities to make it easier for an organization to meet their regulatory and business compliance requirements. Slide Builds: 1Slide Script: In previous versions of Windows, detailed auditing could be configured only by using scripts. With Windows 7, you can use Group Policy settings to enable auditing for subcategories. This auditing is designed to assist organizations in meeting regulatory and business requirements. [BUILD1] Windows 7 provides enhanced audit capabilities to make it easier for an organization to meet its regulatory and business compliance requirements. Audit enhancements start with a simplified management approach for audit configurations and end by providing even greater visibility into what occurs in your organization. For example, Windows 7 provides greater insight into exactly why someone has access to specific information, why someone was denied access to specific information, and the reason for all of the changes made by specific people or groups. IT professionals can also use Group Policy settings to configure which files, registry keys, and other objects will be audited. With previous versions of Windows, IT professionals had to manually configure resource auditing or write scripts that enabled auditing and run them on every computer. Slide Transition: Now, let’s demonstrate auditing.Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://technet.microsoft.com/en-us/library/dd408940.aspx
  • Slide Title: Securing Anywhere AccessKeywords: Windows 7, SecurityKey Message: Windows 7 provides the appropriate security controls so that users can access the information they need to be productive, whenever they need it, whether they are in the office or not. Slide Builds: 2Slide Script: In addition to full support for existing technologies like Network Access Protection, Windows 7 provides a more flexible firewall, Domain Name System security support, and an entirely new paradigm in remote access.Windows 7 supports multiple active firewall policies, enabling user computers to obtain and apply domain firewall profile information regardless of other networks that may be active on the computer. Through such capabilities, which are among the top features requested by enterprise customers, IT professionals can simplify connectivity and security policies by maintaining a single set of rules for both remote clients and clients that are physically connected to the corporate network. The Domain Name System, or DNS, is an essential protocol that supports many everyday Internet activities, including e-mail delivery, Web browsing, and instant messaging. However, the DNS system was designed more than three decades ago, without the security concerns we face today. DNS Security Extensions (DNSSEC) is a set of extensions to DNS that provide the security services required for today’s Internet. Windows 7 supports DNSSEC as specified in RFCs 4033, 4034, and 4035, giving organizations the confidence that domain name records are not being spoofed and helping them protect against malicious activities.
  • [BUILD1] Network Access Protection, or NAP, is a platform and solution that controls access to network resources based on a client computer’s identity and compliance with corporate governance policy. NAP enables network administrators to define granular levels of network access based on who a client is, the groups to which the client belongs, and the degree to which that client is compliant with corporate governance policy. If a client is not compliant, NAP provides a mechanism to automatically bring the client back into compliance and then dynamically increase its level of network access.[BUILD2] DirectAccess enables remote users to access the corporate network any time they have an Internet connection, without the extra step of initiating a VPN connection—and thus increases their productivity when out of the office. Slide Transition: We’ll cover this in more detail next.Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://www.microsoft.com/mscorp/execmail/2007/02-06secureaccess.mspx
  • Slide Title: Direct AccessKeywords: Windows 7, Security, Direct AccessKey Message: Direct Access makes working outside the office simpler.Slide Builds: 1Slide Script: With Windows 7, working outside the office becomes simpler. For IT professionals, DirectAccess provides a more secure and flexible corporate network infrastructure to remotely manage and update users’ computers. DirectAccess simplifies IT management by providing an “always managed” infrastructure, in which computers both on and off the network can remain healthy, managed, and updated. [BUILD1] With DirectAccess, IT professionals maintain fine-grained control over which network resources users can access. For example, Group Policy settings can be used to manage remote user access to enterprise applications. DirectAccess also separates Internet traffic from access to internal network resources, so that users can access public Web sites without generating additional communications traffic on the corporate network. Best of all, DirectAccess is built upon industry standards such as Internet Protocol version 6, or IPv6, and Internet Protocol security, or IPsec, to ensure that your enterprise communications remain safe and secure. Slide Transition: Let’s discuss in more detail how Network Access Protection works.Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://technet.microsoft.com/en-us/windows/dd572177.aspx
  • Slide Title: Network Access ProtectionKeywords: NAPKey Message: Using NAPSlide Builds: 5Slide Script: Enterprises are constantly being challenged by viruses that invade their system because of guests plugging in, employees connecting with VPN, and the everyday attacks on vulnerable computers in the network. To help them respond effectively to viruses and other threats, IT administrators are always looking for tools to detect and manage threats, establish health policies, and require baseline compliance, keep the network resilient, remediate vulnerabilities, and manage the policy enforcement and remediation systems. What is Network Access Protection? One of the most time-consuming challenges that administrators face is ensuring that computers that connect to the private network meet health policy requirements. Network Access Protection for Windows Server 2008 and Windows Vista helps administrators enforce compliance with health policies for network access or communication. Developers and administrators can create solutions for validating computers that connect to their networks, they can provide needed updates or access to needed resources—called health update resources—and they can limit the access of noncompliant computers. Network Access Protection does not prevent an authorized user with a compliant computer from uploading a malicious program to the network or performing some other inappropriate task.Network Access Protection for Windows Server 2008 helps administrators enforce compliance with health policies for network access or communication. Network Access Protection verifies that all communications are authenticated, authorized and healthy. Administrators can use NAP for DHCP, VPN, IPsec, and 802.1x to set the security level that meets the needs of their organization. IT professionals can set policy-based access controls to define access to their systems.
  • Cisco and Microsoft Integration Story: Cisco and Microsoft worked on a joint architecture for NAC-NAP interoperability. The new security architecture will enable customers and partners to deploy interoperable Cisco Network Admission Control and Microsoft Network Access Protection.In addition, the two companies have revealed a general road map for bringing Cisco NAC and Microsoft NAP interoperability to market, including a limited beta program set to start later in calendar year 2007. Customers will be able to start deploying the Cisco NAC-Microsoft NAP interoperable solution once Windows Server 2008 is available. Cisco and Microsoft have cross-licensed the Cisco NAC and Microsoft NAP protocols to help ensure interoperability and to enable both companies to respond to future market and customer requirements.Network Access Protection works with agents in the Windows XP SP2 or Windows Vista client operating systems. The client environment includes the System Health Agents, or SHAs, a Quarantine Agent, or QA, and an Enforcement Client, or EC. The Secure Hash Algorithm , also SHA, checks the state of a client and declares its health. Each SHA is defined for a system health requirement or a set of system health requirements. For example, there might be a SHA for antivirus signatures and a SHA for operating system updates.[BUILD1] Try to Connect to a Network: When a Windows client computer connects though DHCP, a VPN, or a router, the computer’s health state is validated against the health policies as defined by the administrator. [BUILD2] System Health Agent: The access device then forwards the network access request on to the Network Policy Server, or NPS. The NPS includes the System Health Validator, or SHV, and the Quarantine Server, or QS. The QS coordinates the SHVs that certify declarations made by health agents.[BUILD3] Active Directory stores user and computer accounts and their network access properties for authenticated network access. The NPS itself does not make the authentication decision, but evaluates the connection and then forwards the credentials on to Active Directory.
  • [BUILD4] Remediation Server: If a computer is not compliant, it is sent to a restricted network, where the remediation servers can apply security updates or whatever else is needed to enable compliance. Remediation servers consist of servers, services, or other resources that a noncompliant computer on the restricted network can access. These resources might store the most recent software updates or components needed to make the computer comply with health requirements. For example, a secondary DNS server, an antivirus signature file server, and a software update server could all be remediation servers. Administrators can help ensure compliance with health policies by choosing to automatically update noncompliant computers with the missing requirements through management software, such as Microsoft Systems Management Server. Computers that do not comply with health policies may have limited access until the software and configuration updates are completed. Again, computers that are compatible with Network Access Protection can automatically become compliant and the administrator can define policy exceptions.[BUILD5] Computer that Meets Health Policy: If a client is compliant, then the system is given access to the corporate network.Slide Transition: Our last demonstration shows how to use NAP.Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://technet.microsoft.com/en-us/network/bb545879.aspx
  • Slide Title: TechNet Plus Direct SubscriptionKeywords: Technet, Subscription, Plus, Direct, BenefitsKey Message: TechNet Plus has some new benefits.Slide Builds: 0Slide Script: TechNet Plus is an essential premium web-enabled and live support resource that provides IT Professionals with fast and easy access to Microsoft experts, software and technical information, enhancing IT productivity, control and planning.With convenient access to all these resources in one online location, TechNet Plus provides what you need to help you:Evaluate products & learn new skillsPlan for & deploy new technologiesAnd support & maintain your IT environmentFor evaluation and learning you get access to all Microsoft full-version software for evaluation without time limits. This includes Microsoft Server, Client, and Application software titles. With full-version software, you can make informed decisions about new technologies at your own pace.You also receive access to the latest betas before public release. Be the first to try out the latest pre-release versions of Microsoft operating systems, servers and business applications.TechNet Plus also offers quarterly training resources including select Microsoft E-Learning courses for free so you can keep your skills current, prepare for a certification exam or get ready for a specific project.For planning and deployment the TechNet Library includes resources to help you plan for and deploy new technologies in your IT environment including a complete Knowledge Base, resource kits, utilities and technical training.You also get exclusive tools like System Center Capacity Planner to accurately plan for and deploy Exchange Server and System Center Operations Manager.For support and maintenance TechNet Plus comes with two complimentary Professional Support incidents. You can talk to a Microsoft Support Professional to quickly resolve your mission-critical technical issues fast.TechNet Plus also provides access to over 100 Managed Newsgroups. You can exchange ideas with other professionals and get expert answers to your technical questions within the next business day — guaranteed.You also get access to TechNet Library resources to help you support and maintain your IT environment including security updates and service packs.TechNet Plus offers proven value that far exceeds its cost. The two complimentary Professional Support incidents alone more than offset the cost of a TechNet Plus subscription. Add to that the evaluation and beta software and other technical resources, and TechNet Plus clearly boosts productivity. Every IT Professional on the team needs one.For more information or to purchase a TechNet Plus subscription, please visit: technet.microsoft.com/subscriptions.Slide Transition: Thank you for attending this TechNet event and we hope that you enjoyed learning about the new Microsoft Technologies.Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: technet.microsoft.com/subscriptions
  • Slide Title: FeedbackKeywords: Key Message: Slide Builds: 0Slide Script: Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information:
  • Transcript of "Microsoft Windows 7 Enhanced Security And Control"

    1. 1. CLI-309<br />
    2. 2. Do Not Delete This Slide<br />We appreciate hearing from you. To send your feedback, click the following link and type your comments in the message body. <br />Note: The subject-line information is used to route your feedback. If you remove or modify the subject line we may be unable to process your feedback. Your feedback may be used to improve our products, technologies and services.<br />Send feedback<br />
    3. 3. MicrosoftWindows 7 Enhanced Security and Control<br />Level 300<br />
    4. 4. What Will We cover?<br />Fundamentally Secure Platform<br />Helping Secure Anywhere Access<br />Protecting Data<br />Protecting Users and Infrastructure<br />
    5. 5. Agenda<br />Reviewing Windows 7 Security Goals<br />Protecting Desktop Users<br />Examining Data Protection<br />Exploring Secure Anywhere Access<br />
    6. 6. Windows 7 Enterprise Security<br />Fundamentally Secure Platform<br />Secure Anywhere Access<br />Protect Data from Unauthorized Viewing<br />Protect Users and Infrastructure<br />
    7. 7. Fundamentally Secure Platform<br />Windows Vista Foundation<br />Simplified User Account Control (UAC)<br />Enhanced Auditing<br />
    8. 8. Agenda<br />Reviewing Windows 7 Security Goals<br />Protecting Desktop Users<br />Examining Data Protection<br />Exploring Secure Anywhere Access<br />
    9. 9. User Account Control<br />Challenges<br />User provides explicit consent<br />Disabling UAC removes protections<br />Simplified UAC<br /><ul><li>Reduce number of applications that require elevation
    10. 10. Re-factor applications into elevated and non-elevated pieces
    11. 11. Flexible prompt behavior</li></ul>Customer Value<br /><ul><li>Standard users can do more
    12. 12. Administrators will see fewer UAC elevation prompts</li></li></ul><li>AppLocker<br />Challenges<br />Users can install and run non-standard applications<br />Even standard users can install some types of software<br />AppLocker™<br /><ul><li>Eliminate unwanted/unknown applications in your network
    13. 13. Enforce application standardization within your organization
    14. 14. Easily create and manage flexible rules using Group Policy</li></li></ul><li>AppLocker<br />
    15. 15. AppLocker - Notes<br />
    16. 16. Demonstration Environment<br />
    17. 17. Add AppLocker Default Rules<br />Create AppLocker Executable Rule Using Group Policy<br />Create an AppLocker Windows Installer Rule<br />Demonstration: Configuring AppLocker<br />
    18. 18. Internet Explorer 8 Security<br />Freedom from Intrusion<br /><ul><li>Social engineering and exploits
    19. 19. Reduce unwanted communications</li></ul>Protection from Harm<br /><ul><li>Browser and Web server exploits
    20. 20. Protection from deceptive Web sites, malicious code, online fraud, identity theft</li></ul>Control of Information<br /><ul><li>Choice and control
    21. 21. Clear notice of information use
    22. 22. Provide only what is needed</li></li></ul><li>Internet Explorer 8 Security - Notes<br />Freedom from Intrusion<br /><ul><li>Social engineering and exploits
    23. 23. Reduce unwanted communications</li></ul>Protection from Harm<br /><ul><li>Browser and Web server exploits
    24. 24. Protection from deceptive Web sites, malicious code, online fraud, identity theft</li></ul>Control of Information<br /><ul><li>Choice and control
    25. 25. Clear notice of information use
    26. 26. Provide only what is needed</li></li></ul><li>Agenda<br />Reviewing Windows 7 Security Goals<br />Protecting Desktop Users<br />Examining Data Protection<br />Exploring Secure Anywhere Access<br />
    27. 27. Protect Data from Unauthorized Viewing<br />Active Directory® Rights Management Services (RMS)<br /><ul><li>Policy definition and enforcement
    28. 28. Protects information wherever it travels
    29. 29. Integrated RMS client</li></ul>Encrypting File System (EFS)<br /><ul><li>User-based file and folder encryption
    30. 30. Ability to store EFS keys on a smart card</li></ul>BitLocker™<br /><ul><li>Easier to configure and deploy
    31. 31. Share protected data with co-workers, clients, partners, and others
    32. 32. Improve compliance and data security</li></li></ul><li>Protect Data from Unauthorized Viewing - Notes<br />Active Directory® Rights Management Services (RMS)<br /><ul><li>Policy definition and enforcement
    33. 33. Protects information wherever it travels
    34. 34. Integrated RMS client</li></ul>Encrypting File System (EFS)<br /><ul><li>User-based file and folder encryption
    35. 35. Ability to store EFS keys on a smart card</li></ul>BitLocker™<br /><ul><li>Easier to configure and deploy
    36. 36. Share protected data with co-workers, clients, partners, and others
    37. 37. Improve compliance and data security</li></li></ul><li>Bitlocker<br />+<br />Extend BitLocker drive encryption to removable devices<br />Create group policies to mandate the use of encryption and block unencrypted drives <br />Simplify BitLocker setup and configuration of primary hard drive<br />
    38. 38. Desktop Auditing<br />Challenges<br />Granular auditing complex to configure<br />Auditing access and privilege use for a group of users<br />Enhanced Auditing<br /><ul><li>Simplified configuration results in lower total cost of ownership (TCO)
    39. 39. Demonstrate why a person has access to specific information
    40. 40. Understand why a person has been denied access to specific information
    41. 41. Track all changes made by specific people or groups</li></li></ul><li>Use Group Policy to Configure Auditing<br />Configure the Files System Audit Policy<br />Enable Auditing for a File or Folder<br />Demonstration: Enabling Auditing<br />
    42. 42. Agenda<br />Reviewing Windows 7 Security Goals<br />Protecting Desktop Users<br />Examining Data Protection<br />Exploring Secure Anywhere Access<br />
    43. 43. Secure Anywhere Access<br />Network Security<br /><ul><li>Policy-based network segmentation
    44. 44. Multi-home firewall profiles
    45. 45. Domain Name System Security Extensions (DNSSEC) support</li></ul>Network Access Protection (NAP)<br /><ul><li>Ensure that only “healthy” machines can access corporate data
    46. 46. Enable “unhealthy” machines to get clean before they gain access </li></ul>DirectAccess<br /><ul><li>Security-protected, seamless, always-on connection
    47. 47. Improved management of remote users
    48. 48. Consistent security for all access scenarios</li></li></ul><li>Secure Anywhere Access - Notes<br />Network Security<br /><ul><li>Policy-based network segmentation
    49. 49. Multi-home firewall profiles
    50. 50. Domain Name System Security Extensions (DNSSEC) support</li></ul>Network Access Protection (NAP)<br /><ul><li>Ensure that only “healthy” machines can access corporate data
    51. 51. Enable “unhealthy” machines to get clean before they gain access </li></ul>DirectAccess<br /><ul><li>Security-protected, seamless, always-on connection
    52. 52. Improved management of remote users
    53. 53. Consistent security for all access scenarios</li></li></ul><li>DirectAccess<br />Challenges<br />Difficult for users to access corporate resources from outside the office<br />Challenging for IT to manage, update, and patch mobile computers while disconnected from company network<br />DirectAccess<br /><ul><li>Same experience accessing corporate resources inside and outside the office
    54. 54. Seamless connection increases productivity of mobile users
    55. 55. Easy to service mobile computers and distribute updates and polices</li></li></ul><li>Remediation<br />Servers<br />Example: Patch<br />Network Access Protection<br />Corporate Network<br />Policy Servers<br />such as: Patch, AV<br />3<br />1<br />2<br />Not Policy- Compliant<br />4<br />DHCP, VPN,<br />Switch/Router <br />Windows<br />Client<br />Restricted<br />Network<br />NPS<br />Policy-Compliant<br />5<br />If not policy-compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, configurations, signatures (Repeat 1-4)<br />DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS)<br />Network Policy Server (NPS) validates against IT-defined health policy<br />If policy compliant, client is granted full access to corporate network<br />Client requests access to network and presents current health state<br />2<br />3<br />4<br />5<br />1<br />
    56. 56. Remediation<br />Servers<br />Example: Patch<br />Network Access Protection - Notes<br />Corporate Network<br />Policy Servers<br />such as: Patch, AV<br />3<br />1<br />2<br />Not Policy- Compliant<br />4<br />DHCP, VPN,<br />Switch/Router <br />Windows<br />Client<br />Restricted<br />Network<br />NPS<br />Policy-Compliant<br />5<br />If not policy-compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, configurations, signatures (Repeat 1-4)<br />DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS)<br />Network Policy Server (NPS) validates against IT-defined health policy<br />If policy compliant, client is granted full access to corporate network<br />Client requests access to network and presents current health state<br />2<br />3<br />4<br />5<br />1<br />
    57. 57. Remediation<br />Servers<br />Example: Patch<br />Network Access Protection - Notes<br />Corporate Network<br />Policy Servers<br />such as: Patch, AV<br />3<br />1<br />2<br />Not Policy- Compliant<br />4<br />DHCP, VPN,<br />Switch/Router <br />Windows<br />Client<br />Restricted<br />Network<br />NPS<br />Policy-Compliant<br />5<br />If not policy-compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, configurations, signatures (Repeat 1-4)<br />DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS)<br />Network Policy Server (NPS) validates against IT-defined health policy<br />If policy compliant, client is granted full access to corporate network<br />Client requests access to network and presents current health state<br />2<br />3<br />4<br />5<br />1<br />
    58. 58. Configure Windows Security Health Validator<br />Configure Exception Group<br />Configure Certificate Settings<br />Demonstration: Using Network Access Protection<br />
    59. 59. Session Summary<br />Fundamentally Secure Platform<br />Helping Secure Anywhere Access<br />Protecting Data<br />Protecting Users and Infrastructure<br />
    60. 60. Where to Find More Information?<br />Visit TechNet at technet.microsoft.com<br />Also check out TechNet Edge <br /> edge.technet.com<br />Or just visit http://go.microsoft.com/?linkid=9662641<br /> for additional information on this session.<br />
    61. 61. For more titles, visit<br />http://go.microsoft.com/?linkid=9662641<br />Supporting Publications<br />
    62. 62. For more training information http://go.microsoft.com/?linkid=9662641<br />Training Resources<br />
    63. 63. Become a Microsoft Certified Professional <br />What are MCP certifications?<br />Validation in performing critical IT functions.<br />Why Certify?<br />WW recognition of skills gained via experience.<br />More effective deployments with reduced costs<br />What Certifications are there for IT Pros?<br />MCTS, MCITP.<br />www.microsoft.com/certification<br />
    64. 64. Microsoft TechNet Plus<br />TechNet Plus is an essential premium web-enabled and live support resource that provides IT Professionals with fast and easy access to Microsoft experts, software and technical information, enhancing IT productivity, control and planning. <br />Evaluate & Learn<br />Plan & Deploy<br />Support & Maintain<br />2 complimentaryProfessional Support incidents for use 24/7 (20% discount on additional incidents)<br />Access over 100 managed newsgroups and get next business day response--guaranteed<br />Use the TechNet Library to maintain your IT environment with security updates, service packs and utilities<br />Use the TechNet Library to plan for deployment using the Knowledge Base, resource kits, and technical training<br />Use exclusive tools like System Center Capacity Planner to accurately plan for and deploy Exchange Server and System Center Operations Manager<br />Evaluate full versions of all Microsoft commercial software for evaluation—without time limits. This includes all client, server and Office applications.<br />Try out all the latest betas before public release<br />Keep your skills current with quarterly training resources including select Microsoft E-Learning courses<br />Get all these resources and more with a TechNet Plus subscription.<br />For more information visit: technet.microsoft.com/subscriptions<br />
    65. 65. Your potential. Our Passion<br />
    66. 66. Do Not Delete This Slide<br />We appreciate hearing from you. To send your feedback, click the following link and type your comments in the message body. <br />Note: The subject-line information is used to route your feedback. If you remove or modify the subject line we may be unable to process your feedback. Your feedback may be used to improve our products, technologies and services.<br />Send feedback<br />
    67. 67. Session Credits<br />Author: Christopher Knaus<br />Editor: Resources Online<br />MS Producer: Alan Le Marquand<br />Technical Specialists<br />[Reviewer 1]<br />[Reviewer 2]<br />Microsoft Reviewers<br />
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×