Microsoft Windows 7 Enhanced Security And Control

  • 2,728 views
Uploaded on

This session will explore Windows 7 core platform security improvements, securing anywhere access, data protection, and protecting desktop users. We will explain how Windows 7 features in each of …

This session will explore Windows 7 core platform security improvements, securing anywhere access, data protection, and protecting desktop users. We will explain how Windows 7 features in each of these areas provide the foundation for secure and reliable platform. We will discuss User Account Control improvements, enhanced auditing, Network Access Protection (NAP), Firewall improvements, Applocker, Bitlocker and Bitlocker to go enhancements, Direct Access, Internet Explorer 8 security improvements, and EFS enhancements.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
2,728
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
99
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Slide Title: FeedbackKeywords: Key Message: Slide Builds: 0Slide Script: Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information:
  • Slide Title: Windows 7 Enterprise SecurityKeywords: Windows 7, SecurityKey Message: Windows 7 builds upon the great security enhancements pioneered in Windows Vista.Slide Builds: 3Slide Script: Windows 7 builds upon the great security enhancements pioneered in Windows Vista and responds to customer feedback to make the system more usable and manageable. User Account Control, or UAC, has been simplified and auditing has been enhanced.[BUILD1] Windows 7 provides the appropriate security controls so that users can access the information they need to be productive, whenever they need it, whether they are in the office or not. Network security and Network Access Protection, or NAP, have been improved, and DirectAccess enables remote users to access the corporate network anytime they have an Internet connection, without the extra step of initiating a virtual private networking, or VPN, connection.[BUILD2] Windows 7 extends BitLocker Drive Encryption to help protect data stored on portable media; for example, USB flash drives and USB portable hard drives, so that only authorized users can read the data, even if the media is lost, stolen, or misused. [BUILD3] Windows 7 provides flexible security protection against malware and intrusions so that users can achieve their desired balance of security, control, and productivity. AppLocker is a flexible, easily administered mechanism that enables IT professionals to specify exactly what users are allowed to run on their desktops. It provides the flexibility to allow users to run the applications, installation programs, and scripts they need to be productive. Internet Explorer 8 delivers improved protection against security and privacy threats, including the ability to help identify malicious sites and block the download of malicious software. Slide Transition: Lets see exactly what makes Windows 7 a fundamentally secure platform.Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://technet.microsoft.com/en-us/magazine/2009.05.win7.aspx
  • Slide Title: Fundamentally Secure PlatformKeywords: Windows 7, SecurityKey Message: Windows 7 is a secure platform.Slide Builds: 2Slide Script: Fundamental security features such as Kernel Patch Protection, Service Hardening, Data Execution Prevention, Address Space Layout Randomization, and Mandatory Integrity Levels continue to provide enhanced protection against malware and attacks. Windows 7 is designed and developed using the Microsoft Security Development Lifecycle (SDL), and it is engineered to support Common Criteria requirements to achieve Evaluation Assurance Level 4 certification and meet Federal Information Processing Standard 140-2. From the solid security foundation of Windows Vista, Windows 7 makes significant enhancements to the core security technologies of event auditing and User Account Control.[BUILD1] User Account Control (UAC) was introduced in Windows Vista to help increase security and improve total cost of ownership by enabling the operating system to be deployed without administrative privileges. Windows 7 continues the investment in UAC with specific changes to enhance the user experience–from reducing the number of operating system applications and tasks that require administrative privilege to a flexible consent prompt behavior for users who continue to run with administrative privilege. The result? Standard users can do even more than ever before and all users will see fewer prompts. [BUILD2] Windows 7 provides enhanced audit capabilities to make it easier for an organization to meet their regulatory and business compliance requirements. Slide Transition: The next item on our agenda is more secure anywhere access.Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://technet.microsoft.com/en-us/library/dd560691.aspx
  • Slide Title: User Account ControlKeywords: User Account ControlKey Message: Overview of UAC.Slide Builds: 1Slide Script: In Windows 7, UAC functionality is improved to increase the number of tasks that the standard user can perform that do not prompt for administrator approval. It will allow a user with administrator privileges to configure the UAC experience in the Control Panel. UAC provides additional local security policies that enable a local administrator to change the behavior of the UAC messages for local administrators in Admin Approval mode. And finally, it provides additional local security policies that enable a local administrator to change the behavior of the UAC messages for standard users. [BUILD1] The improvements to UAC in Windows 7 and Windows Server 2008 R2 result in an improved user experience when configuring and troubleshooting your computer. By default, standard users and administrators access resources and run applications in the security context of standard users. When a user logs on to a computer, the system creates an access token for that user. The access token contains information about the level of access that the user is granted, including specific security identifiers (SIDs) and Windows privileges. When an administrator logs on, two separate access tokens are created for the user: a standard user access token and an administrator access token. The standard user access token contains the same user-specific information as the administrator access token, but the administrative Windows privileges and SIDs have been removed. The standard user access token is used to start applications that do not perform administrative tasks.When the user runs applications that perform administrative tasks (administrator applications), the user is prompted to change or "elevate" the security context from a standard user to an administrator, called Admin Approval mode. In this mode, the administrator must provide approval for applications to run on the secure desktop with administrative privileges. Slide Transition: Windows AppLocker is a new feature in Windows 7 and Windows Server 2008 that replaces the Software Restriction Policies feature. Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://technet.microsoft.com/en-us/library/cc709691.aspx
  • Slide Title: AppLockerKeywords: AppLockerKey Message: Configuring AppLocker.Slide Builds: 1Slide Script: To configure AppLocker:First you need to configure rule enforcement. The default setting is Enforce rules but allow the settings to be overridden; you need to change this to the Enforce rules setting. The default setting will need to be changed on each set of AppLocker rules you wish to enforce. The three types of rules are Executable rules, Windows Installer rules, and Script rules.AppLocker includes default rules that you can generate to allow parts of the operating system to run. For Executable rules, three default rules are created. The first default rule allows members of the Everyone group to execute programs in the Program Files folder. The next default rule allows members of the Everyone group to execute programs in the Windows folder. The last default rule allows local administrators to execute all programs.  You can choose to keep all these default rules, or you can delete rules that may interfere with new rules you want to create in your organization. For example, if you wanted to allow only certain programs in the Program Files folder to run, you would delete the default rule for the Program Files folder and create new rules to allow only the programs to want to run. Windows Installer rules and Script rules also have default rules you can create.After you create a new rule, you need to ensure that the Application Identity service is running. If this service is not running, AppLocker will not enforce rules.
  • [BUILD1] To create a new rule: There are three types of rules you can create using AppLocker: Publisher rule, Path rule, and File Hash rule. Publisher rules make it possible to build rules that survive application updates by being able to specify attributes such as the version of an application. For example, an organization can create a rule to “allow all versions greater than 9.0 of the program Acrobat Reader to run if it is signed by the software publisher Adobe.” Now, when Adobe updates Acrobat, you can safely push out the application update without having to build another rule for the new version of the application. Path rules allow you to create a rule for a specific file or folder path. You can use the File Hash option to create a rule for an application that is not signed.To create a Publisher rule, you need to browse for a signed file to use as a reference for the rule. Once the reference file has been selected, the properties will be automatically populated. You can modify these properties according to how you wish to create the rule. In addition, you can create exceptions to the rule. For example, if you wish to create a Publisher rule that will allow users to run Microsoft Office system 2007, except you don’t want them to be able to run Office PowerPoint 2007, you would create an exception for Office PowerPoint.Slide Transition: Before our first demo, lets take a look at the demonstration environment. Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://technet.microsoft.com/en-us/library/dd560656.aspx
  • Slide Title: Demonstration EnvironmentKeywords: Demonstration EnvironmentKey Message: Describe the demonstration environment being used.Slide Builds: 0Slide Script: The presenter’s demonstration computer will contain two virtual machines named SEA-DC-01 and SEA-WRK-001. The two machines will be able to communicate with each other, but will not be able to communicate with the Internet, or with other host computers or the virtual machines running on them. The following is a network diagram of the computers used in this session.Slide Transition: The first demonstration will cover configuring AppLocker.Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information:
  • Slide Title: IE8 SecurityKeywords: IE8, securityKey Message: Internet Explorer 8 security overview. Slide Builds: 2Slide Script: Internet Explorer 8 delivers improved protection against security and privacy threats, including the ability to help identify malicious sites and block the download of malicious software. Privacy is enhanced through the ability to surf the Web without leaving a trail on a shared computer, and through increased choice and control over how Web sites can track user actions. Internet Explorer 8 also helps inspire confidence and trust through improved restrictions for ActiveX controls, enhanced add-on management, improved reliability (including automated crash recovery and tab restoration), and enhanced support for accessibility standards. Internet Explorer 8 provides freedom from intrusion by limiting social engineering and exploits, and it reduces unwanted communications. New in Internet Explorer 8 is a feature that allows Web site content owners to put a tag in a page header that will help prevent ClickJacking, a type of cross-site request forgery. ClickJacking encompasses multiple techniques that can be used to trick Web users into unwittingly clicking an obscured or hidden Web element, usually resulting in an unwanted transaction. Internet Explorer 8 will detect sites that insert the tag and give users a new error screen indicating that the content host has chosen not to allow their content to be framed, and giving users the option to open the content in a new window.[BUILD1] Internet Explorer 8 protects the user from harm. Built upon the Microsoft Phishing Filter, the SmartScreen Filter helps protect customers against a broader set of phishing threats and helps protect from sites that attempt to download malicious software. The SmartScreen Filter is easy to use with enhanced user interface and warning messages to reduce users’ click-through to confirmed sites.
  • Internet Explorer 8 helps protect customers and systems from attacks that can lead to information disclosure, cookie stealing, account or identity theft, or other attempts to masquerade as the user without permission. XSS attacks have emerged as a leading exploit against Web servers and Web applications. Internet Explorer 8 has an XSS filter that is able to dynamically detect type-1 XSS (reflection) attacks. Per-site ActiveX reduces attack surface by providing an implicit SiteLock (a tool for restricting access to a specific domain), so that controls may run only from their point of installation by default. This enables users and administrators to manage where a given ActiveX Control is allowed to run. Per-user ActiveX allows developers to write their ActiveX controls so that when a user installs them, they are installed only for that user and not for all users on the system, providing a level of protection for other users against malicious or badly written controls.[BUILD2] Internet Explorer 8 helps you control your information. Internet Explorer 8 enhances the Delete Browsing History feature by providing the ability to delete some cookies, browsing history, and other data while preserving cookies, browsing history, and other data for favorite sites. InPrivate helps to protect people’s data and privacy from being retained locally on the computer they are using. This protects against third parties who might be in a position to track a consumer’s online activities. Consumers have the ability to use either of the features (InPrivate Blocking or InPrivate Filtering) independently. When activated, InPrivate Browsing helps ensure that browsing history, temporary Internet files, and cookies are not recorded on a computer after browsing. When you use InPrivate Browsing, toolbars and extensions are automatically disabled, and browsing history is automatically deleted when the browser is closed. InPrivate Filtering helps protect privacy by enabling the consumer to filter content coming from third parties that are in a position to track and aggregate their online behavior. Users are provided with notice, choice, and control of which third parties to allow and which ones to filter.Slide Transition: Let’s move on to the third agenda item.Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://www.microsoft.com/windows/internet-explorer/features/safer.aspx
  • [BUILD2] BitLocker Drive Encryption functionality in Windows 7 delivers an improved experience for IT professionals and end users, including the ability to right-click a drive to enable BitLocker protection, automatic creation of the required hidden boot partition, and improved key management. Windows 7 also introduces BitLocker To Go, which provides data protection for removable storage devices, such as USB flash drives. Slide Transition: Let’s look at some specific BitLocker enhancements.Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://technet.microsoft.com/en-us/library/cc700811.aspx
  • Slide Title: BitLockerKeywords: BitlockerKey Message: Overview of Bitlocker.Slide Builds: 0Slide Script: Windows 7 addresses the continued threat of data leakage with manageability and deployment updates to BitLocker Drive Encryption and the introduction of BitLocker To Go. Windows 7 enhances data protection against data theft and exposure by extending BitLocker support to removable storage devices. By extending support for BitLocker to FAT data volumes, a broader range of disk formats and devices can be supported, including USB flash drives and portable disk drives. This enables users to deploy BitLocker for a broader range of data protection needs. Whether you are traveling with your laptop, sharing large files with a trusted partner, or taking work home, BitLocker- and BitLocker To Go-protected devices help ensure that only authorized users can read the data, even if the media is lost, stolen, or misused. Best of all, BitLocker protection is easy to deploy and intuitive for the end user–all while helping to improve compliance and data security. BitLocker To Go also gives administrators control over how removable storage devices can be utilized within their environment and the strength of protection that they require. Administrators can require data protection for any removable storage device that users want to write data upon, while still allowing unprotected storage devices to be utilized in a read-only mode. Policies are also available to require appropriate passwords, smart card, or domain user credentials to utilize a protected removable storage device. Finally, BitLocker To Go provides configurable read-only support for removable devices on older versions of Windows, enabling you to more securely share files with users who are still running Windows Vista and Windows XP. Slide Transition: Windows 7 provides enhanced audit capabilities to make it easier for an organization to meet their regulatory and business compliance requirements. Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://technet.microsoft.com/en-us/windows/aa905065.aspx
  • Slide Title: Desktop AuditingKeywords: Windows 7, AuditingKey Message: Windows 7 provides enhanced audit capabilities to make it easier for an organization to meet their regulatory and business compliance requirements. Slide Builds: 1Slide Script: In previous versions of Windows, detailed auditing could be configured only by using scripts. With Windows 7, you can use Group Policy settings to enable auditing for subcategories. This auditing is designed to assist organizations in meeting regulatory and business requirements. [BUILD1] Windows 7 provides enhanced audit capabilities to make it easier for an organization to meet its regulatory and business compliance requirements. Audit enhancements start with a simplified management approach for audit configurations and end by providing even greater visibility into what occurs in your organization. For example, Windows 7 provides greater insight into exactly why someone has access to specific information, why someone was denied access to specific information, and the reason for all of the changes made by specific people or groups. IT professionals can also use Group Policy settings to configure which files, registry keys, and other objects will be audited. With previous versions of Windows, IT professionals had to manually configure resource auditing or write scripts that enabled auditing and run them on every computer. Slide Transition: Now, let’s demonstrate auditing.Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://technet.microsoft.com/en-us/library/dd408940.aspx
  • Slide Title: Securing Anywhere AccessKeywords: Windows 7, SecurityKey Message: Windows 7 provides the appropriate security controls so that users can access the information they need to be productive, whenever they need it, whether they are in the office or not. Slide Builds: 2Slide Script: In addition to full support for existing technologies like Network Access Protection, Windows 7 provides a more flexible firewall, Domain Name System security support, and an entirely new paradigm in remote access.Windows 7 supports multiple active firewall policies, enabling user computers to obtain and apply domain firewall profile information regardless of other networks that may be active on the computer. Through such capabilities, which are among the top features requested by enterprise customers, IT professionals can simplify connectivity and security policies by maintaining a single set of rules for both remote clients and clients that are physically connected to the corporate network. The Domain Name System, or DNS, is an essential protocol that supports many everyday Internet activities, including e-mail delivery, Web browsing, and instant messaging. However, the DNS system was designed more than three decades ago, without the security concerns we face today. DNS Security Extensions (DNSSEC) is a set of extensions to DNS that provide the security services required for today’s Internet. Windows 7 supports DNSSEC as specified in RFCs 4033, 4034, and 4035, giving organizations the confidence that domain name records are not being spoofed and helping them protect against malicious activities.
  • [BUILD1] Network Access Protection, or NAP, is a platform and solution that controls access to network resources based on a client computer’s identity and compliance with corporate governance policy. NAP enables network administrators to define granular levels of network access based on who a client is, the groups to which the client belongs, and the degree to which that client is compliant with corporate governance policy. If a client is not compliant, NAP provides a mechanism to automatically bring the client back into compliance and then dynamically increase its level of network access.[BUILD2] DirectAccess enables remote users to access the corporate network any time they have an Internet connection, without the extra step of initiating a VPN connection—and thus increases their productivity when out of the office. Slide Transition: We’ll cover this in more detail next.Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://www.microsoft.com/mscorp/execmail/2007/02-06secureaccess.mspx
  • Slide Title: Direct AccessKeywords: Windows 7, Security, Direct AccessKey Message: Direct Access makes working outside the office simpler.Slide Builds: 1Slide Script: With Windows 7, working outside the office becomes simpler. For IT professionals, DirectAccess provides a more secure and flexible corporate network infrastructure to remotely manage and update users’ computers. DirectAccess simplifies IT management by providing an “always managed” infrastructure, in which computers both on and off the network can remain healthy, managed, and updated. [BUILD1] With DirectAccess, IT professionals maintain fine-grained control over which network resources users can access. For example, Group Policy settings can be used to manage remote user access to enterprise applications. DirectAccess also separates Internet traffic from access to internal network resources, so that users can access public Web sites without generating additional communications traffic on the corporate network. Best of all, DirectAccess is built upon industry standards such as Internet Protocol version 6, or IPv6, and Internet Protocol security, or IPsec, to ensure that your enterprise communications remain safe and secure. Slide Transition: Let’s discuss in more detail how Network Access Protection works.Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://technet.microsoft.com/en-us/windows/dd572177.aspx
  • Slide Title: Network Access ProtectionKeywords: NAPKey Message: Using NAPSlide Builds: 5Slide Script: Enterprises are constantly being challenged by viruses that invade their system because of guests plugging in, employees connecting with VPN, and the everyday attacks on vulnerable computers in the network. To help them respond effectively to viruses and other threats, IT administrators are always looking for tools to detect and manage threats, establish health policies, and require baseline compliance, keep the network resilient, remediate vulnerabilities, and manage the policy enforcement and remediation systems. What is Network Access Protection? One of the most time-consuming challenges that administrators face is ensuring that computers that connect to the private network meet health policy requirements. Network Access Protection for Windows Server 2008 and Windows Vista helps administrators enforce compliance with health policies for network access or communication. Developers and administrators can create solutions for validating computers that connect to their networks, they can provide needed updates or access to needed resources—called health update resources—and they can limit the access of noncompliant computers. Network Access Protection does not prevent an authorized user with a compliant computer from uploading a malicious program to the network or performing some other inappropriate task.Network Access Protection for Windows Server 2008 helps administrators enforce compliance with health policies for network access or communication. Network Access Protection verifies that all communications are authenticated, authorized and healthy. Administrators can use NAP for DHCP, VPN, IPsec, and 802.1x to set the security level that meets the needs of their organization. IT professionals can set policy-based access controls to define access to their systems.
  • Cisco and Microsoft Integration Story: Cisco and Microsoft worked on a joint architecture for NAC-NAP interoperability. The new security architecture will enable customers and partners to deploy interoperable Cisco Network Admission Control and Microsoft Network Access Protection.In addition, the two companies have revealed a general road map for bringing Cisco NAC and Microsoft NAP interoperability to market, including a limited beta program set to start later in calendar year 2007. Customers will be able to start deploying the Cisco NAC-Microsoft NAP interoperable solution once Windows Server 2008 is available. Cisco and Microsoft have cross-licensed the Cisco NAC and Microsoft NAP protocols to help ensure interoperability and to enable both companies to respond to future market and customer requirements.Network Access Protection works with agents in the Windows XP SP2 or Windows Vista client operating systems. The client environment includes the System Health Agents, or SHAs, a Quarantine Agent, or QA, and an Enforcement Client, or EC. The Secure Hash Algorithm , also SHA, checks the state of a client and declares its health. Each SHA is defined for a system health requirement or a set of system health requirements. For example, there might be a SHA for antivirus signatures and a SHA for operating system updates.[BUILD1] Try to Connect to a Network: When a Windows client computer connects though DHCP, a VPN, or a router, the computer’s health state is validated against the health policies as defined by the administrator. [BUILD2] System Health Agent: The access device then forwards the network access request on to the Network Policy Server, or NPS. The NPS includes the System Health Validator, or SHV, and the Quarantine Server, or QS. The QS coordinates the SHVs that certify declarations made by health agents.[BUILD3] Active Directory stores user and computer accounts and their network access properties for authenticated network access. The NPS itself does not make the authentication decision, but evaluates the connection and then forwards the credentials on to Active Directory.
  • [BUILD4] Remediation Server: If a computer is not compliant, it is sent to a restricted network, where the remediation servers can apply security updates or whatever else is needed to enable compliance. Remediation servers consist of servers, services, or other resources that a noncompliant computer on the restricted network can access. These resources might store the most recent software updates or components needed to make the computer comply with health requirements. For example, a secondary DNS server, an antivirus signature file server, and a software update server could all be remediation servers. Administrators can help ensure compliance with health policies by choosing to automatically update noncompliant computers with the missing requirements through management software, such as Microsoft Systems Management Server. Computers that do not comply with health policies may have limited access until the software and configuration updates are completed. Again, computers that are compatible with Network Access Protection can automatically become compliant and the administrator can define policy exceptions.[BUILD5] Computer that Meets Health Policy: If a client is compliant, then the system is given access to the corporate network.Slide Transition: Our last demonstration shows how to use NAP.Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://technet.microsoft.com/en-us/network/bb545879.aspx
  • Slide Title: TechNet Plus Direct SubscriptionKeywords: Technet, Subscription, Plus, Direct, BenefitsKey Message: TechNet Plus has some new benefits.Slide Builds: 0Slide Script: TechNet Plus is an essential premium web-enabled and live support resource that provides IT Professionals with fast and easy access to Microsoft experts, software and technical information, enhancing IT productivity, control and planning.With convenient access to all these resources in one online location, TechNet Plus provides what you need to help you:Evaluate products & learn new skillsPlan for & deploy new technologiesAnd support & maintain your IT environmentFor evaluation and learning you get access to all Microsoft full-version software for evaluation without time limits. This includes Microsoft Server, Client, and Application software titles. With full-version software, you can make informed decisions about new technologies at your own pace.You also receive access to the latest betas before public release. Be the first to try out the latest pre-release versions of Microsoft operating systems, servers and business applications.TechNet Plus also offers quarterly training resources including select Microsoft E-Learning courses for free so you can keep your skills current, prepare for a certification exam or get ready for a specific project.For planning and deployment the TechNet Library includes resources to help you plan for and deploy new technologies in your IT environment including a complete Knowledge Base, resource kits, utilities and technical training.You also get exclusive tools like System Center Capacity Planner to accurately plan for and deploy Exchange Server and System Center Operations Manager.For support and maintenance TechNet Plus comes with two complimentary Professional Support incidents. You can talk to a Microsoft Support Professional to quickly resolve your mission-critical technical issues fast.TechNet Plus also provides access to over 100 Managed Newsgroups. You can exchange ideas with other professionals and get expert answers to your technical questions within the next business day — guaranteed.You also get access to TechNet Library resources to help you support and maintain your IT environment including security updates and service packs.TechNet Plus offers proven value that far exceeds its cost. The two complimentary Professional Support incidents alone more than offset the cost of a TechNet Plus subscription. Add to that the evaluation and beta software and other technical resources, and TechNet Plus clearly boosts productivity. Every IT Professional on the team needs one.For more information or to purchase a TechNet Plus subscription, please visit: technet.microsoft.com/subscriptions.Slide Transition: Thank you for attending this TechNet event and we hope that you enjoyed learning about the new Microsoft Technologies.Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: technet.microsoft.com/subscriptions
  • Slide Title: FeedbackKeywords: Key Message: Slide Builds: 0Slide Script: Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information:

Transcript

  • 1. CLI-309
  • 2. Do Not Delete This Slide
    We appreciate hearing from you. To send your feedback, click the following link and type your comments in the message body.
    Note: The subject-line information is used to route your feedback. If you remove or modify the subject line we may be unable to process your feedback. Your feedback may be used to improve our products, technologies and services.
    Send feedback
  • 3. MicrosoftWindows 7 Enhanced Security and Control
    Level 300
  • 4. What Will We cover?
    Fundamentally Secure Platform
    Helping Secure Anywhere Access
    Protecting Data
    Protecting Users and Infrastructure
  • 5. Agenda
    Reviewing Windows 7 Security Goals
    Protecting Desktop Users
    Examining Data Protection
    Exploring Secure Anywhere Access
  • 6. Windows 7 Enterprise Security
    Fundamentally Secure Platform
    Secure Anywhere Access
    Protect Data from Unauthorized Viewing
    Protect Users and Infrastructure
  • 7. Fundamentally Secure Platform
    Windows Vista Foundation
    Simplified User Account Control (UAC)
    Enhanced Auditing
  • 8. Agenda
    Reviewing Windows 7 Security Goals
    Protecting Desktop Users
    Examining Data Protection
    Exploring Secure Anywhere Access
  • 9. User Account Control
    Challenges
    User provides explicit consent
    Disabling UAC removes protections
    Simplified UAC
    • Reduce number of applications that require elevation
    • 10. Re-factor applications into elevated and non-elevated pieces
    • 11. Flexible prompt behavior
    Customer Value
    • Standard users can do more
    • 12. Administrators will see fewer UAC elevation prompts
  • AppLocker
    Challenges
    Users can install and run non-standard applications
    Even standard users can install some types of software
    AppLocker™
    • Eliminate unwanted/unknown applications in your network
    • 13. Enforce application standardization within your organization
    • 14. Easily create and manage flexible rules using Group Policy
  • AppLocker
  • 15. AppLocker - Notes
  • 16. Demonstration Environment
  • 17. Add AppLocker Default Rules
    Create AppLocker Executable Rule Using Group Policy
    Create an AppLocker Windows Installer Rule
    Demonstration: Configuring AppLocker
  • 18. Internet Explorer 8 Security
    Freedom from Intrusion
    • Social engineering and exploits
    • 19. Reduce unwanted communications
    Protection from Harm
    • Browser and Web server exploits
    • 20. Protection from deceptive Web sites, malicious code, online fraud, identity theft
    Control of Information
    • Choice and control
    • 21. Clear notice of information use
    • 22. Provide only what is needed
  • Internet Explorer 8 Security - Notes
    Freedom from Intrusion
    • Social engineering and exploits
    • 23. Reduce unwanted communications
    Protection from Harm
    • Browser and Web server exploits
    • 24. Protection from deceptive Web sites, malicious code, online fraud, identity theft
    Control of Information
    • Choice and control
    • 25. Clear notice of information use
    • 26. Provide only what is needed
  • Agenda
    Reviewing Windows 7 Security Goals
    Protecting Desktop Users
    Examining Data Protection
    Exploring Secure Anywhere Access
  • 27. Protect Data from Unauthorized Viewing
    Active Directory® Rights Management Services (RMS)
    • Policy definition and enforcement
    • 28. Protects information wherever it travels
    • 29. Integrated RMS client
    Encrypting File System (EFS)
    • User-based file and folder encryption
    • 30. Ability to store EFS keys on a smart card
    BitLocker™
    • Easier to configure and deploy
    • 31. Share protected data with co-workers, clients, partners, and others
    • 32. Improve compliance and data security
  • Protect Data from Unauthorized Viewing - Notes
    Active Directory® Rights Management Services (RMS)
    • Policy definition and enforcement
    • 33. Protects information wherever it travels
    • 34. Integrated RMS client
    Encrypting File System (EFS)
    • User-based file and folder encryption
    • 35. Ability to store EFS keys on a smart card
    BitLocker™
    • Easier to configure and deploy
    • 36. Share protected data with co-workers, clients, partners, and others
    • 37. Improve compliance and data security
  • Bitlocker
    +
    Extend BitLocker drive encryption to removable devices
    Create group policies to mandate the use of encryption and block unencrypted drives
    Simplify BitLocker setup and configuration of primary hard drive
  • 38. Desktop Auditing
    Challenges
    Granular auditing complex to configure
    Auditing access and privilege use for a group of users
    Enhanced Auditing
    • Simplified configuration results in lower total cost of ownership (TCO)
    • 39. Demonstrate why a person has access to specific information
    • 40. Understand why a person has been denied access to specific information
    • 41. Track all changes made by specific people or groups
  • Use Group Policy to Configure Auditing
    Configure the Files System Audit Policy
    Enable Auditing for a File or Folder
    Demonstration: Enabling Auditing
  • 42. Agenda
    Reviewing Windows 7 Security Goals
    Protecting Desktop Users
    Examining Data Protection
    Exploring Secure Anywhere Access
  • 43. Secure Anywhere Access
    Network Security
    • Policy-based network segmentation
    • 44. Multi-home firewall profiles
    • 45. Domain Name System Security Extensions (DNSSEC) support
    Network Access Protection (NAP)
    • Ensure that only “healthy” machines can access corporate data
    • 46. Enable “unhealthy” machines to get clean before they gain access
    DirectAccess
    • Security-protected, seamless, always-on connection
    • 47. Improved management of remote users
    • 48. Consistent security for all access scenarios
  • Secure Anywhere Access - Notes
    Network Security
    • Policy-based network segmentation
    • 49. Multi-home firewall profiles
    • 50. Domain Name System Security Extensions (DNSSEC) support
    Network Access Protection (NAP)
    • Ensure that only “healthy” machines can access corporate data
    • 51. Enable “unhealthy” machines to get clean before they gain access
    DirectAccess
    • Security-protected, seamless, always-on connection
    • 52. Improved management of remote users
    • 53. Consistent security for all access scenarios
  • DirectAccess
    Challenges
    Difficult for users to access corporate resources from outside the office
    Challenging for IT to manage, update, and patch mobile computers while disconnected from company network
    DirectAccess
    • Same experience accessing corporate resources inside and outside the office
    • 54. Seamless connection increases productivity of mobile users
    • 55. Easy to service mobile computers and distribute updates and polices
  • Remediation
    Servers
    Example: Patch
    Network Access Protection
    Corporate Network
    Policy Servers
    such as: Patch, AV
    3
    1
    2
    Not Policy- Compliant
    4
    DHCP, VPN,
    Switch/Router
    Windows
    Client
    Restricted
    Network
    NPS
    Policy-Compliant
    5
    If not policy-compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, configurations, signatures (Repeat 1-4)
    DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS)
    Network Policy Server (NPS) validates against IT-defined health policy
    If policy compliant, client is granted full access to corporate network
    Client requests access to network and presents current health state
    2
    3
    4
    5
    1
  • 56. Remediation
    Servers
    Example: Patch
    Network Access Protection - Notes
    Corporate Network
    Policy Servers
    such as: Patch, AV
    3
    1
    2
    Not Policy- Compliant
    4
    DHCP, VPN,
    Switch/Router
    Windows
    Client
    Restricted
    Network
    NPS
    Policy-Compliant
    5
    If not policy-compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, configurations, signatures (Repeat 1-4)
    DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS)
    Network Policy Server (NPS) validates against IT-defined health policy
    If policy compliant, client is granted full access to corporate network
    Client requests access to network and presents current health state
    2
    3
    4
    5
    1
  • 57. Remediation
    Servers
    Example: Patch
    Network Access Protection - Notes
    Corporate Network
    Policy Servers
    such as: Patch, AV
    3
    1
    2
    Not Policy- Compliant
    4
    DHCP, VPN,
    Switch/Router
    Windows
    Client
    Restricted
    Network
    NPS
    Policy-Compliant
    5
    If not policy-compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, configurations, signatures (Repeat 1-4)
    DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS)
    Network Policy Server (NPS) validates against IT-defined health policy
    If policy compliant, client is granted full access to corporate network
    Client requests access to network and presents current health state
    2
    3
    4
    5
    1
  • 58. Configure Windows Security Health Validator
    Configure Exception Group
    Configure Certificate Settings
    Demonstration: Using Network Access Protection
  • 59. Session Summary
    Fundamentally Secure Platform
    Helping Secure Anywhere Access
    Protecting Data
    Protecting Users and Infrastructure
  • 60. Where to Find More Information?
    Visit TechNet at technet.microsoft.com
    Also check out TechNet Edge
    edge.technet.com
    Or just visit http://go.microsoft.com/?linkid=9662641
    for additional information on this session.
  • 61. For more titles, visit
    http://go.microsoft.com/?linkid=9662641
    Supporting Publications
  • 62. For more training information http://go.microsoft.com/?linkid=9662641
    Training Resources
  • 63. Become a Microsoft Certified Professional
    What are MCP certifications?
    Validation in performing critical IT functions.
    Why Certify?
    WW recognition of skills gained via experience.
    More effective deployments with reduced costs
    What Certifications are there for IT Pros?
    MCTS, MCITP.
    www.microsoft.com/certification
  • 64. Microsoft TechNet Plus
    TechNet Plus is an essential premium web-enabled and live support resource that provides IT Professionals with fast and easy access to Microsoft experts, software and technical information, enhancing IT productivity, control and planning.
    Evaluate & Learn
    Plan & Deploy
    Support & Maintain
    2 complimentaryProfessional Support incidents for use 24/7 (20% discount on additional incidents)
    Access over 100 managed newsgroups and get next business day response--guaranteed
    Use the TechNet Library to maintain your IT environment with security updates, service packs and utilities
    Use the TechNet Library to plan for deployment using the Knowledge Base, resource kits, and technical training
    Use exclusive tools like System Center Capacity Planner to accurately plan for and deploy Exchange Server and System Center Operations Manager
    Evaluate full versions of all Microsoft commercial software for evaluation—without time limits. This includes all client, server and Office applications.
    Try out all the latest betas before public release
    Keep your skills current with quarterly training resources including select Microsoft E-Learning courses
    Get all these resources and more with a TechNet Plus subscription.
    For more information visit: technet.microsoft.com/subscriptions
  • 65. Your potential. Our Passion
  • 66. Do Not Delete This Slide
    We appreciate hearing from you. To send your feedback, click the following link and type your comments in the message body.
    Note: The subject-line information is used to route your feedback. If you remove or modify the subject line we may be unable to process your feedback. Your feedback may be used to improve our products, technologies and services.
    Send feedback
  • 67. Session Credits
    Author: Christopher Knaus
    Editor: Resources Online
    MS Producer: Alan Le Marquand
    Technical Specialists
    [Reviewer 1]
    [Reviewer 2]
    Microsoft Reviewers