Your SlideShare is downloading. ×
0
Ing. Eduardo Castro, PhD
Comunidad Windows

ecastro@mswindowscr.org
http://comunidadwindows.org
“Windows Server 2008 helps
    Macquarie operate… our remote
    offices more securely and be able to used RODC to
       ...
Security Development Lifecycle
Installation Options
Read Only Domain Controller (RODC)
Network Access Protection (NAP)
Oth...
Service                             DirectAccess                          BitLocker to Go
Foundation




                 ...
Methods of Security and Policy Enforcement
    Network Location Awareness
    Network Access Protection
Windows Firewall w...
Create inbound and outbound rules
Create a firewall rule limiting a service
Integrated with WFAS
IPSec improvements
  Simplified IPSec policy configuration
  Client-to-DC IPSec protection
  Improved...
What
changes
have been
made to AD
DS
auditing?
New Functionality
                                   RODC
   AD database
   Unidirectional replication
   Credential cachi...
A read-only Active Directory Domain Services
database
Unidirectional replication mitigating misinformation
even if a chang...
Data protection
   Drive encryption
   Integrity checking
 BDE hardware and software requirements
Easier management through PKIView
Certificate Web enrollment
Network device enrollment service
Managing certificate with g...
Enforce Security Policy
Improve Domain Security
Improve System Security
Improve Network
Communications Security
Network Access Protection          Network Access Quarantine Control



Internal, VPN, and Remote Access   Only VPN and Re...
Automatic remediation
Health policy validation
Health policy compliance
Limited access
How it works
                                                                              Policy Servers
                ...
IPSec

802.1X


VPN


DHCP

NPS
 RADIUS
Create a NAP policy
Use the MMC to create NAP
configuration settings
Create a new RADIUS client
Create a new system health...
Logical Networks
IPSec Enforcement
IEEE 802.1X
Remote Access VPNs
DHCP
Checking the health and status of roaming
laptops
Ensuring the health of corporate desktops
Determining the health of visi...
Carefully test and plan all security policies
Implement Network Access Protection
Use Windows Firewall and Advanced
Securi...
Group Policy Changes
How Group Policy works now...
                                                                       ...
What is new?
 GP PowerShell features
    Adding to GP scripts extensions
    PowerShell cmdlets to perform GP operations
 ...
Import-module GroupPolicy
get-help *-gp*
    New                          Get                             Set

•New-GPLink...
Have heard up to 11,000 GPOs
Not best practice
  GPMC has perf issues loading
  Management difficulties
  Troubleshooting ...
New UI: More intuitive, integrated help content,
no more tabs

Support for:
REG_MultiSZ
REG_QWORD
Starter GPOs & ADMX UI
Preference Settings
   Not true “Policy”
More control of desktop – more settings!
   Not limited to policy-aware applicati...
Group Policies              Group Policy
                            Preferences
(Native / Managed)
                      ...
Drive Mappings
Regional Settings
Printer Mappings
Shortcuts
Start Menu
Internet Explorer
Settings
Local Users and
Groups
Services
Network Shares
Environment
Variables
Familiar Experience
  Clearer to understand
  and find
  Easy to manage
  Better control of individual
  settings – Red/Gr...
29 different targeting options
 Boolean AND, OR, IS, IS NOT
 Wildcard support
    “WSBNE*”



Target on the item, not just...
Robust targeting
                          29 types
 Item level targeting,    Boolean logic (And, Or, Not)
    not GPO lev...
Apply once and do not reapply
 Remove when no longer applicable
 Create – Replace - Update - Delete




More than just Ena...
Active Directory: Windows 2000
Console - Group Policy Manager Console - Snap-
in
   Part of the Remote Server Admin Tool (...
3000 Total ADMX settings
300 new ADMX settings
  IE more than 90 new
  Bitlocker
  Taskbar
  Power
  Terminal Services reb...
12 settings added under Security Options
  Restrict NTLM (multiple)
  Kerberos encryption types
  Local System null sessio...
Wireless Network (IEEE 802.11) Policies
Public Key Policies
    Certificate Services Client - Certificate
    Enrollment P...
Storage                Storage              Compliance   Security and
    growth                 cost                     ...
Business                                      IT

              Need per project share




       Make sure business secre...
Step 1:
Classify data




   Step 2:
Apply policy
according to
classification
Information
                                                         Personal

                                           ...
IT Scripts           Automatic classification
                                            Location
   Step 1:       Manual...
Extensible infrastructure-Partner ecosystem
Inbox end to end scenarios
Integration with SharePoint

     Get classificatio...
When using IPSec – employ ESP with
encryption
Carefully test and verify all IPSec Policies
Consider using Domain isolation...
IPSec Server Domain Isolation
Full Volume Bitlocker on Servers
New elliptic curve encryption strength
Network Level Authen...
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be...
Windows Server 2008 Security Overview Short
Windows Server 2008 Security Overview Short
Windows Server 2008 Security Overview Short
Windows Server 2008 Security Overview Short
Windows Server 2008 Security Overview Short
Windows Server 2008 Security Overview Short
Windows Server 2008 Security Overview Short
Upcoming SlideShare
Loading in...5
×

Windows Server 2008 Security Overview Short

2,019

Published on

In this presentation we review the security changes in Windows 2008 and Windows 2008 R2

Saludos,
Ing. Eduardo Castro Martínez, PhD – Microsoft SQL Server MVP
http://mswindowscr.org
http://comunidadwindows.org
Costa Rica

Technorati Tags: SQL Server
LiveJournal Tags: SQL Server
del.icio.us Tags: SQL Server

http://ecastrom.blogspot.com
http://ecastrom.wordpress.com
http://ecastrom.spaces.live.com
http://universosql.blogspot.com
http://todosobresql.blogspot.com
http://todosobresqlserver.wordpress.com
http://mswindowscr.org/blogs/sql/default.aspx
http://citicr.org/blogs/noticias/default.aspx
http://sqlserverpedia.blogspot.com/

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,019
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
31
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Windows Server 2008 Security Overview Short"

  1. 1. Ing. Eduardo Castro, PhD Comunidad Windows ecastro@mswindowscr.org http://comunidadwindows.org
  2. 2. “Windows Server 2008 helps Macquarie operate… our remote offices more securely and be able to used RODC to “We’ll place domain controllers at sites efficiently than we could in the past.” key infrastructure thatwhere physical security has “The public always been a concern and we’ll we Phillip Dundas created through our have much better control over our deployment of Lead, Technical Team Windows Server remote infrastructure.” Windows Server Group, Information Technology 2008 has fundamentally increased confident that the bank is Group “We are the Macquarie Group Limited security more secure, that devices level of information Loic Calvez now that we have at the bank.”Senior Enterprise Infrastructure are secure, accessing our network Architect Lafarge Security Director and that those devices meet our PKO Bank Polski current network policy for access.” Howard Witherby Senior Vice President of Operations National Bank & Trust
  3. 3. Security Development Lifecycle Installation Options Read Only Domain Controller (RODC) Network Access Protection (NAP) Others
  4. 4. Service DirectAccess BitLocker to Go Foundation Mostly Server R2 Mostly Windows 7 Hardening* AppLocker Multiple Firewall Kernel Patch Enhanced Profiles Protection* Storage Access Streamlined UAC Data Execution DNSSEC Biometric Prevention* Framework Enhanced BitLocker* Auditing* HTTP PKI Enroll Suite-B for EFS, PIV Smartcards Kerberos, TLS v1.2 and more
  5. 5. Methods of Security and Policy Enforcement Network Location Awareness Network Access Protection Windows Firewall with Advanced Security Internet Protocol Security Windows Server Hardening Server and Domain Isolation Active Directory Domain Services Auditing Read-Only Domain Controller BitLocker Drive Encryption Removable Device Installation Control Enterprise PKI
  6. 6. Create inbound and outbound rules Create a firewall rule limiting a service
  7. 7. Integrated with WFAS IPSec improvements Simplified IPSec policy configuration Client-to-DC IPSec protection Improved load balancing and clustering server support Improved IPSec authentication Integration with NAP Multiple authentication methods New cryptographic support Integrated IPv4 and IPv6 support Extended events and performance monitor counters Network diagnostics framework support
  8. 8. What changes have been made to AD DS auditing?
  9. 9. New Functionality RODC AD database Unidirectional replication Credential caching Password replication policy Administrator role separation Read-Only DNS Requirements/special considerations
  10. 10. A read-only Active Directory Domain Services database Unidirectional replication mitigating misinformation even if a change is made on a RODC Caching of only specific attributes based Credential caching for only specific users Separation of administrator capabilities Read-only DNS Pre-create RODC account allowing local installation without the need for admin credentials
  11. 11. Data protection Drive encryption Integrity checking BDE hardware and software requirements
  12. 12. Easier management through PKIView Certificate Web enrollment Network device enrollment service Managing certificate with group policy Certificate deployment changes Online certificate status protocol support Cryptographic next generation
  13. 13. Enforce Security Policy Improve Domain Security Improve System Security Improve Network Communications Security
  14. 14. Network Access Protection Network Access Quarantine Control Internal, VPN, and Remote Access Only VPN and Remote Access Client Clients IPSec, 802.1X, DHCP, and VPN DHCP and VPN NAP NPS and Client included in Installed from Windows Server Windows Server 2008; NAP client 2003 Resource Kit included in Windows Vista
  15. 15. Automatic remediation Health policy validation Health policy compliance Limited access
  16. 16. How it works Policy Servers e.g. Patch, Antivirus 3 1 2 Not policy- compliant 4 Fix Up Servers e.g. Patch Restricted Windows Microsoft Network Client NPS DHCP, VPN, Policy- Switch/Router compliant Client requests access to network and presents current 1 health state 5 Corporate Network DHCP, VPN, or Switch/Router relays health status to 2 Microsoft Network Policy Server (NPS) via Remote Authentication Dial-In User Service (RADIUS) Network Policy Server (NPS) validates against IT-defined 3 health policy If not policy-compliant, client is put in a restricted VLAN 4 and given access to fix up resources to download patches, configurations, signatures (Repeat 1 - 4) 5 If policy-compliant, client is granted full access to corporate network
  17. 17. IPSec 802.1X VPN DHCP NPS RADIUS
  18. 18. Create a NAP policy Use the MMC to create NAP configuration settings Create a new RADIUS client Create a new system health validator for Windows Vista and Windows XP SP2
  19. 19. Logical Networks IPSec Enforcement IEEE 802.1X Remote Access VPNs DHCP
  20. 20. Checking the health and status of roaming laptops Ensuring the health of corporate desktops Determining the health of visiting laptops Verify the compliance of home computers
  21. 21. Carefully test and plan all security policies Implement Network Access Protection Use Windows Firewall and Advanced Security to implement IPSec Deploy Read-Only Domain Controllers, where appropriate Implement BitLocker Drive Encryption Take advantage of PKI improvements
  22. 22. Group Policy Changes How Group Policy works now... Windows Group Policy Service Process Group Policy Templates Vista/Windows Server 2008 GP now runs in a Part of Winlogon ADM Templates ADM templates ADM shared service ADM ADM Templates now in difficult to manage ADM ADM Hardened Service, more ADMX reliable Local GPOs (ADMX, ADMX files ADM ADML) Multiple flexibility with a single local Limited Local Settings Group Policy Settings GPOs GPOLGPO’s Over 800 policy settings in ~1,800 new policy changes LGPO Local Computer Local Computer Policy with Windows Vista LGPO Policy XP Admin Admin/Non-Admin Group Policy Extended GP for new Windows Vista features coverage Incomplete User User Specified Group Policy Network Location missing key means Awareness scenarios of Limited awareness (NLA) Templates and Group Policy Central NLA service provides the latest changing network Replication Store network information ADMX conditions query or register with Applications can Centralized repository ADML Journal Wrap NLA for network change indications for ADMX anyone? Bloated SysVol DC Created in the Sysvol Troubleshootin Group Policy Logging SYSVOL? l Policie DC SysVo + gAdministrative log on DC s + GUID Applications and Services log in each domain ADM + Userenv log + Policy XML based event logs New Replicator with Definitions ADMX, ADML Files GP Result New Tools - GPOLogView FRS/DFS-R DFS-R
  23. 23. What is new? GP PowerShell features Adding to GP scripts extensions PowerShell cmdlets to perform GP operations Starter GPOs in-box in Windows 7 Best practices that map to the security guide ADMX enhancements GP Preferences enhancements GP Preferences, new in Windows Server 2008 New items added to support new OS functionality
  24. 24. Import-module GroupPolicy get-help *-gp* New Get Set •New-GPLink •Get-GPInheritance •Set-GPInheritance •New-GPO •Get-GPO •Set-GPLink •New-GPStarterGPO •Get-GPOReport •Set-GPPermissions •Get-GPPermissions •Set-GPPrefRegistryValue •Get-GPPrefRegistryValue •Set-GPRegistryValue •Get-GPRegistryValue •Get-GPResultantSetofPolicy •Get-GPStarterGPO Remove Misc • Remove-GPLink • Backup-GPO • Remove-GPO • Copy-GPO • Remove- • Import-GPO GPPrefRegistryValue • Rename-GPO • Remove- • Restore-GPO GPRegistryValue
  25. 25. Have heard up to 11,000 GPOs Not best practice GPMC has perf issues loading Management difficulties Troubleshooting difficulties Migration difficulties Recommendation: Consolidate AGPM is tested up to 2000 GPOs
  26. 26. New UI: More intuitive, integrated help content, no more tabs Support for: REG_MultiSZ REG_QWORD
  27. 27. Starter GPOs & ADMX UI
  28. 28. Preference Settings Not true “Policy” More control of desktop – more settings! Not limited to policy-aware applications Ease of administration through rich UI Better targeting New in Windows 7 Support for new Power Plan settings Support for new Schedule task triggers, actions, etc.
  29. 29. Group Policies Group Policy Preferences (Native / Managed) • Users can change • Setting are enforced, settings user cannot change • Multiple items per settings GPO • Settings revert back to • Can write registry original setting settings to more than • Highest precedence HKCU, HKLM hives • Work only on specific • Granular Targeting of registry location individual items
  30. 30. Drive Mappings Regional Settings Printer Mappings Shortcuts Start Menu Internet Explorer Settings
  31. 31. Local Users and Groups Services Network Shares Environment Variables
  32. 32. Familiar Experience Clearer to understand and find Easy to manage Better control of individual settings – Red/Green Powerful browsers Avoids typing errors Configure settings quicker
  33. 33. 29 different targeting options Boolean AND, OR, IS, IS NOT Wildcard support “WSBNE*” Target on the item, not just the GPO
  34. 34. Robust targeting 29 types Item level targeting, Boolean logic (And, Or, Not) not GPO level Collections Intuitive UI No need to learn query languages
  35. 35. Apply once and do not reapply Remove when no longer applicable Create – Replace - Update - Delete More than just Enable vs Disable
  36. 36. Active Directory: Windows 2000 Console - Group Policy Manager Console - Snap- in Part of the Remote Server Admin Tool (link and end) One Windows 7 client or Windows Server 2008 R2 Terminal Server Client - Client Side Extensions (CSE’s)
  37. 37. 3000 Total ADMX settings 300 new ADMX settings IE more than 90 new Bitlocker Taskbar Power Terminal Services rebranded “Remote Desktop Services” Settings Spreadsheet
  38. 38. 12 settings added under Security Options Restrict NTLM (multiple) Kerberos encryption types Local System null session fallback Only supported on Windows 7 & Windows Server 2008 R2 Settings Spreadsheet
  39. 39. Wireless Network (IEEE 802.11) Policies Public Key Policies Certificate Services Client - Certificate Enrollment Policy BitLocker Drive Encryption Network Access Protection Enforcement Clients: Removed RAQ EC and TS Gateway Enforcement Clients: Added RD Gateway QEC Application Control Policies – AppLocker More info Advanced Audit Policy Configuration More info Name Resolution Policy
  40. 40. Storage Storage Compliance Security and growth cost Information leakage Increasing data management needs / many data management products Security HSM Archive Backup Encryptio n Replicatio Expiration n
  41. 41. Business IT Need per project share Make sure business secret files do not leak out Backup files with personal information to encrypted store Expire low business impact files created three years ago and not touched for a year
  42. 42. Step 1: Classify data Step 2: Apply policy according to classification
  43. 43. Information Personal Secrecy Business IT Need per project share Make sure business secret files do not leak out Backup files with personal information to encrypted store Expire low business impact files created three years ago and not touched for a year
  44. 44. IT Scripts Automatic classification Location Step 1: Manual Content Classify data Line Of Business application Owner Other Expiration Search Step 2: Reports Backup Apply policy based on Custom commands Archive classification Security Leakage prevention
  45. 45. Extensible infrastructure-Partner ecosystem Inbox end to end scenarios Integration with SharePoint Get classification properties Set classification properties API for external applications API for external applications Extract Store Apply Policy Discover classification Classify data classification based on Data properties properties classification Windows Server 2008 R2 File Classification Extensibility points
  46. 46. When using IPSec – employ ESP with encryption Carefully test and verify all IPSec Policies Consider using Domain isolation Use quality of service to improve bandwidth Plan to prioritize traffic on the network Apply network access protection to secure client computers
  47. 47. IPSec Server Domain Isolation Full Volume Bitlocker on Servers New elliptic curve encryption strength Network Level Authentication for RDP Service Profiling New Levels of System Auditing … and many more
  48. 48. © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×