Wave 14 - Winodws 7 Security Story Core by MVP Azra Rizal
Upcoming SlideShare
Loading in...5
×
 

Wave 14 - Winodws 7 Security Story Core by MVP Azra Rizal

on

  • 907 views

Winodws 7 Security Story Core

Winodws 7 Security Story Core

Statistics

Views

Total Views
907
Views on SlideShare
905
Embed Views
2

Actions

Likes
0
Downloads
33
Comments
0

2 Embeds 2

http://www.slideshare.net 1
http://www.apurva.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • One of the goals of Windows 7 is to enable users to access the information that they need whether they are in or out of the office. In the past few years, Microsoft has made getting to email from outside the office easier.  First we had Outlook Web Access, so we could access email through the web. Then we introduced RPC over HTTP, which just requires and internet connection to connect to the Exchange server.But users still have a challenge when accessing resources that are inside the corporate network. For example users cannot open the links to an internal Web site or share included in an email. The most common method to access these resources is VPN. VPN can be hard to use for users because it takes time and multiple steps to initiate the VPN connection and wait for the PC to be authenticated from the network. Hence, most remote users try to avoid VPN’ing as much as possible and stay disconnected from corporate network as much as they can. At this point we run into a chicken-egg problem: Since remote users are disconnected IT cannot service them while away from work – remote users stay more out of date and it gets harder and harder to access corporate resources… With the capabilities Windows 7 enables, users who have internet access will be automatically connected to their corporate network. A user who is sitting on a coffee shop can open his laptop, connect to the internet using the wireless access of the coffee shop and start working as if he is in the office. The user in this case will be able to not only use outlook, but also work with intranet sites, open corporate shares, use LOB applications, and basically have full access to corporate resources. Direct Access solution is also very appealing to IT Professionals:Servicing mobile users have been an issue since they could be disconnected from the corporate network for a long time. With Direct Access, as long as they have internet connectivity, users will be on corporate network. Servicing mobile users becomes (such as distributing updates and policies) is easier since they can be accessed more frequently. Deploying Windows 7 will not automatically enable this type of Work access connection. You will have the choice to enable it or not and it will require changes to your backend network infrastructure, including having some servers running Windows Server 2008 R2. But after it is implemented the solution will have a major impact on the way your mobile employees work.
  • The longer a computer has been deployed, the more the software on them drifts away from their desired configuration. These inconsistencies are greatly accelerated by installation and execution of non-standard software within the desktop environment. Users today bring software into the environment by bringing in software from home, Internet downloads (intended and not intended!), and through email. The result is higher incidence of malware infections, more help desk calls, and difficulty in ensuring that your PCs are running only approved, licensed software. Coupled with the required on compliance in the enterprise through OCI, SOX, HIPPA and other compliance regulations, enterprises are renewing efforts to lock down their desktops as a means to: Reduce total cost of ownership (TCO)Increase security to safeguard against data loss and the threat of IT theft and to secure privacySupport compliance solutions by validating which users can run specific applicationsWith Windows XP and Windows Vista, we gave IT administrators Software Restriction Policies to enable the definition of a relatively secure application lockdown policy. SRP has been utilized with tremendous success in many customer situations, but customers have requested more flexibility and control over the applications in their desktop environment.Windows 7 reenergizes application lockdown policies with a totally revamped set of capabilities in “Application Blocker”. “Application Blocker” provides a flexible mechanism that allows administrators to specify exactly what is allowed to run on their systems and gives users the ability to run applications, installation programs, and scripts that administrators have explicitly granted permission to execute. As a result, IT can enforce application standardization within their organization with minimal TCO implications.
  • “Application Blocker” provides a flexible mechanism that allows IT administrators to specify exactly which applications, install packages, and scripts are allowed to run on their systems. When enabled, the feature operates as an “allow list” by default. Users may only run applications, installation programs, and scripts that administrators have approved. Within these allow lists, IT administrators can call out exceptions to the allow list (e.g. allow everything in c:windowssystem32 to run, except the registry editor). In specific instances, where required, specific deny rules can also be enforced. “Application Blocker” enables IT to enforce application standardization within their organization with minimal cost implications. AppLocker enables IT administrators to manage applications beyond the traditional file name and hash mechanisms that are prevalent. This gives “Application Blocker” rules a resiliency throughout the software update lifecycle. For example, a rule could be written that says “allow all versions greater than 8.1 of the program Photoshop to run if it is signed by the software publisher Adobe.” Such a rule can be associated with existing security groups within an organization, providing controls that allow an organization to support compliance requirements by validating and enforcing which users can run specific applications.“Application Blocker” is a totally new feature that will only be available in the premium SKUs, while the legacy Software Restriction Policies will be available in the Business and Enterprise SKUs.
  • Let discuss these in greater detail with specific examples of what we have implemented in IE 7 as well as what is new in IE8, (in Red)

Wave 14 - Winodws 7 Security Story Core by MVP Azra Rizal Wave 14 - Winodws 7 Security Story Core by MVP Azra Rizal Presentation Transcript

  • Enhance Security and Control
    Azra Rizal
    Security Advisor | DP&E | Microsoft Corporation
  • Windows 7 Enterprise Security
    Building upon the security foundations of Windows Vista, Windows 7 provides IT Professionals security features that are simple to use, manageable, and valuable.
    Fundamentally Secure Platform
    Protect Users & Infrastructure
    Securing Anywhere Access
    Protect Data from Unauthorized Viewing
    Windows Vista Foundation
    Streamlined User Account Control
    Enhanced Auditing
    Network Security
    Network Access Protection
    DirectAccessTM
    AppLockerTM
    Internet Explorer 8
    Data Recovery
    RMS
    EFS
    BitLocker
  • Fundamentally Secure Platform
    Windows Vista Foundation
    Enhanced Auditing
    Streamlined User Account Control
    Make the system work well for standard users
    Administrators use full privilege only for administrative tasks
    File and registry virtualization helps applications that are not UAC compliant
    XML based
    Granular audit categories
    Detailed collection of audit results
    Simplified compliance management
    Security Development Lifecycle process
    Kernel Patch Protection
    Windows Service Hardening
    DEP & ASLR
    IE 8 inclusive
    Mandatory Integrity Controls
  • User Account Control
    Windows Vista
    System Works for Standard User
    All users, including administrators, run as Standard User by default
    Administrators use full privilege only for administrative tasks or applications
    Streamlined UAC
    Reduce the number of OS applications and tasks that require elevation
    Refactor applications into elevated/non-elevated pieces
    Flexible prompt behavior for administrators
    Challenges
    Customer Value
    User provides explicit consent before using elevated privilege
    Disabling UAC removes protections, not just consent prompt
    Users can do even more as a standard user
    Administrators will see fewer UAC Elevation Prompts
    Windows 7
  • Desktop Auditing
    Windows Vista
    Enhanced Auditing
    New XML based events
    Fine grained support for audit of administrative privilege
    Simplified filtering of “noise” to find the event you’re looking for
    Tasks tied to events
    Simplified configuration results in lower TCO
    Demonstrate why a person has access to specific information
    Understand why a person has been denied access to specific information
    Track all changes made by specific people or groups
    Challenges
    Granular auditing complex to configure
    Auditing access and privilege use for a group of users
    Windows 7
  • Securing Anywhere Access
    Network Security
    DirectAccessTM
    Network Access Protection
    Ensure that only “healthy” machines can access corporate data
    Enable “unhealthy” machines to get clean before they gain access
    Security protected, seamless, always on connection to corporate network
    Improved management of remote users
    Consistent security for all access scenarios
    Windows Firewall can coexist with 3rd party products
    Multi-Home Profiles
    DNSSec
  • Network Access Protection
    Remediation
    Servers
    Example: Patch
    Restricted
    Network
    Corporate Network
    Policy Servers
    such as: Patch, AV
    Health policy validation and remediation
    Helps keep mobile, desktop and server devices in compliance
    Reduces risk from unauthorized systems on the network
    Not policy compliant
    Policy compliant
    DHCP, VPN
    Switch/Router
    Windows
    Client
    NPS
    Windows 7
  • Remote Access for Mobile WorkersAccess Information Anywhere
    Situation Today
    DirectAccessTM
    Difficult for users to access corporate resources from outside the office
    Challenging for IT to manage, update, patch mobile PCs while disconnected from company network
    Same experience accessing corporate resources inside and outside the office
    Seamless connection increases productivity of mobile users
    Easy to service mobile PCs and distribute updates and polices
    Windows 7 Solution
  • Protect Users & Infrastructure
    AppLockerTM
    Data Recovery
    Internet Explorer 8
    Protect users against social engineering and privacy exploits
    Protect users against browser based exploits
    Protect users against web server exploits
    File back up and restore
    CompletePC™ image-based backup
    System Restore
    Volume Shadow Copies
    Volume Revert
    Enables application standardization within an organization without increasing TCO
    Increase security to safeguard against data and privacy loss
    Support compliance enforcement
  • Application Control
    Situation Today
    AppLockerTM
    Eliminate unwanted/unknown applications in your network
    Enforce application standardization within your organization
    Easily create and manage flexible rules using Group Policy
    Users can install and run non-standard applications
    Even standard users can install some types of software
    Unauthorized applications may:
    Introduce malware
    Increase helpdesk calls
    Reduce user productivity
    Undermine compliance efforts
    Windows 7 Solution
  • AppLockerTM
    Technical Details
    Simple Rule Structure: Allow, Exception & Deny
    Publisher Rules
    Product Publisher, Name, Filename & Version
    Multiple Policies
    Executables, installers & scripts
    Rule creation tools & wizard
    Audit only mode
  • Building on IE7 and addressing the evolving threat landscape
    Social Engineering & Exploits
    Reduce unwanted communications
    Freedom from intrusion
    International Domain Names
    Pop-up Blocker in IE7
    Increased usability
    Browser & Web Server Exploits
    Protection from deceptive websites, malicious code, online fraud, identity theft
    Protection from harm
    Secure Development Lifecycle
    Extended Validation (EV) SSL certs
    SmartScreen® Filter
    Domain Highlighting
    XSS Filter/ DEP/NX
    ActiveX Controls
    Choice and control
    Clear notice of information use
    Provide only what is needed
    Control of information
    User-friendly, discoverable notices
    P3P-enabled cookie controls
    Delete Browsing History
    InPrivate™ Browsing & Blocking
    Internet Explorer 8 Security
  • Protect Data from Unauthorized Viewing
    RMS
    BitLocker
    EFS
    User-based file and folder encryption
    Ability to store EFS keys on a smart card
    Easier to configure and deploy
    Roam protected data between work and home
    Share protected data with co-workers, clients, partners, etc.
    Improve compliance and data security
    Policy definitionand enforcement
    Protects information wherever it travels
    Integrated RMS Client
    Policy-based protection of document libraries in SharePoint
  • Data Protection Scenarios
  • BitLocker
    Situation Today
    BitLocker To GoTM
    +
    Worldwide Shipments (000s)
    Extend BitLocker™ drive encryption to removable devices
    Create group policies to mandate the use of encryption and block unencrypted drives
    Simplify BitLocker setup and configuration of primary hard drive
    • Gartner “Forecast: USB Flash Drives, Worldwide, 2001-2011” 24 September 2007, Joseph Unsworth  
    • Gartner “Dataquest Insight: PC Forecast Analysis, Worldwide, 1H08” 18 April 2008, Mikako Kitagawa, George Shiffler III 
    Windows 7 Solution
  • BitLocker
    Technical Details
    BitLocker Enhancements
    Automatic 200 Mb hidden boot partition
    New Key Protectors
    Domain Recovery Agent (DRA)
    Smart card – data volumes only
    BitLocker To GoTM
    Support for FAT*
    Protectors: DRA, passphrase, smart card and/or auto-unlock
    Management: protector configuration, encryption enforcement
  • Windows 7 Enterprise Security
    Building upon the security foundations of Windows Vista, Windows 7 provides IT Professionals security features that are simple to use, manageable, and valuable.
    Fundamentally Secure Platform
    Protect Users & Infrastructure
    Securing Anywhere Access
    Protect Data from Unauthorized Viewing
    Windows Vista Foundation
    Streamlined User Account Control
    Enhanced Auditing
    Network Security
    Network Access Protection
    DirectAccessTM
    AppLockerTM
    Internet Explorer 8
    Data Recovery
    RMS
    EFS
    BitLocker
  • AD RMS & DLP
  • Convergence of DLP and RMS
    Centralized Policy
    Policies Pushed into
    Infrastructure
    Enable advanced workflow
    Identify and Classify Data
    Leverage Controls to Protect Data
    Block
    Warn
    RMS
    Monitor
  • First Step - RSA DLP Suite integrating with Microsoft AD RMS in DLP 6.5 Release (Dec 2008)
    Legal department
    RSA DLP
    Outside law firm
    Others
    1. RMS admin creates RMS templates for data protection
    Microsoft AD RMS
    Legal Department
    Outside law firm
    Others
    Legal
    Contracts
    RMS
    View, Edit, Print
    View
    No Access
    2. RSA DLP admin designs policies to find sensitive data and protect it using RMS
    Find Legal Contracts
    Contracts
    DLP Policy
    Apply Legal Contracts RMS
    3. RSA DLP discovers and classifies sensitive files
    5. Users request files - RMS provides policy based access
    4. RSA DLP applies RMS controls based on policy
    Laptops/desktops
    File shares
    SharePoint
    • Automate the application of AD RMS protection based on sensitive information identified by RSA DLP
    • Leverage AD Groups for identity or group aware data loss prevention
  • Long term – Microsoft and RSA Building Information Protection into Infrastructure
    RSA DLP Enterprise Manager
    Add-on
    Policies
    RSA
    Microsoft
    Policies
    Microsoft Information Protection Management
    E-mail/UC
    Endpoint
    Network
    Apps
    FS/CMS
    Storage
    Built-in DLP
    Classification
    and RMS Controls
    Microsoft Environment and Applications
    RSA DLP
    Endpoint
    Complementary
    Platforms and
    functionality
    RSA DLP
    Network
    RSA DLP
    Datacenter
    • Common policies throughout infrastructure
    • Built-in approach to protect data based on content, context, identity
    • Future ready: Seamless upgrade path for current customers
  • © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
    The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.