Your SlideShare is downloading. ×
Wave 14 - Winodws 7 Security Story Core by MVP Azra Rizal
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Wave 14 - Winodws 7 Security Story Core by MVP Azra Rizal

571
views

Published on

Winodws 7 Security Story Core

Winodws 7 Security Story Core

Published in: Technology, Business

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
571
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
35
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • One of the goals of Windows 7 is to enable users to access the information that they need whether they are in or out of the office. In the past few years, Microsoft has made getting to email from outside the office easier.  First we had Outlook Web Access, so we could access email through the web. Then we introduced RPC over HTTP, which just requires and internet connection to connect to the Exchange server.But users still have a challenge when accessing resources that are inside the corporate network. For example users cannot open the links to an internal Web site or share included in an email. The most common method to access these resources is VPN. VPN can be hard to use for users because it takes time and multiple steps to initiate the VPN connection and wait for the PC to be authenticated from the network. Hence, most remote users try to avoid VPN’ing as much as possible and stay disconnected from corporate network as much as they can. At this point we run into a chicken-egg problem: Since remote users are disconnected IT cannot service them while away from work – remote users stay more out of date and it gets harder and harder to access corporate resources… With the capabilities Windows 7 enables, users who have internet access will be automatically connected to their corporate network. A user who is sitting on a coffee shop can open his laptop, connect to the internet using the wireless access of the coffee shop and start working as if he is in the office. The user in this case will be able to not only use outlook, but also work with intranet sites, open corporate shares, use LOB applications, and basically have full access to corporate resources. Direct Access solution is also very appealing to IT Professionals:Servicing mobile users have been an issue since they could be disconnected from the corporate network for a long time. With Direct Access, as long as they have internet connectivity, users will be on corporate network. Servicing mobile users becomes (such as distributing updates and policies) is easier since they can be accessed more frequently. Deploying Windows 7 will not automatically enable this type of Work access connection. You will have the choice to enable it or not and it will require changes to your backend network infrastructure, including having some servers running Windows Server 2008 R2. But after it is implemented the solution will have a major impact on the way your mobile employees work.
  • The longer a computer has been deployed, the more the software on them drifts away from their desired configuration. These inconsistencies are greatly accelerated by installation and execution of non-standard software within the desktop environment. Users today bring software into the environment by bringing in software from home, Internet downloads (intended and not intended!), and through email. The result is higher incidence of malware infections, more help desk calls, and difficulty in ensuring that your PCs are running only approved, licensed software. Coupled with the required on compliance in the enterprise through OCI, SOX, HIPPA and other compliance regulations, enterprises are renewing efforts to lock down their desktops as a means to: Reduce total cost of ownership (TCO)Increase security to safeguard against data loss and the threat of IT theft and to secure privacySupport compliance solutions by validating which users can run specific applicationsWith Windows XP and Windows Vista, we gave IT administrators Software Restriction Policies to enable the definition of a relatively secure application lockdown policy. SRP has been utilized with tremendous success in many customer situations, but customers have requested more flexibility and control over the applications in their desktop environment.Windows 7 reenergizes application lockdown policies with a totally revamped set of capabilities in “Application Blocker”. “Application Blocker” provides a flexible mechanism that allows administrators to specify exactly what is allowed to run on their systems and gives users the ability to run applications, installation programs, and scripts that administrators have explicitly granted permission to execute. As a result, IT can enforce application standardization within their organization with minimal TCO implications.
  • “Application Blocker” provides a flexible mechanism that allows IT administrators to specify exactly which applications, install packages, and scripts are allowed to run on their systems. When enabled, the feature operates as an “allow list” by default. Users may only run applications, installation programs, and scripts that administrators have approved. Within these allow lists, IT administrators can call out exceptions to the allow list (e.g. allow everything in c:windowssystem32 to run, except the registry editor). In specific instances, where required, specific deny rules can also be enforced. “Application Blocker” enables IT to enforce application standardization within their organization with minimal cost implications. AppLocker enables IT administrators to manage applications beyond the traditional file name and hash mechanisms that are prevalent. This gives “Application Blocker” rules a resiliency throughout the software update lifecycle. For example, a rule could be written that says “allow all versions greater than 8.1 of the program Photoshop to run if it is signed by the software publisher Adobe.” Such a rule can be associated with existing security groups within an organization, providing controls that allow an organization to support compliance requirements by validating and enforcing which users can run specific applications.“Application Blocker” is a totally new feature that will only be available in the premium SKUs, while the legacy Software Restriction Policies will be available in the Business and Enterprise SKUs.
  • Let discuss these in greater detail with specific examples of what we have implemented in IE 7 as well as what is new in IE8, (in Red)
  • Transcript

    • 1. Enhance Security and Control
      Azra Rizal
      Security Advisor | DP&E | Microsoft Corporation
    • 2. Windows 7 Enterprise Security
      Building upon the security foundations of Windows Vista, Windows 7 provides IT Professionals security features that are simple to use, manageable, and valuable.
      Fundamentally Secure Platform
      Protect Users & Infrastructure
      Securing Anywhere Access
      Protect Data from Unauthorized Viewing
      Windows Vista Foundation
      Streamlined User Account Control
      Enhanced Auditing
      Network Security
      Network Access Protection
      DirectAccessTM
      AppLockerTM
      Internet Explorer 8
      Data Recovery
      RMS
      EFS
      BitLocker
    • 3. Fundamentally Secure Platform
      Windows Vista Foundation
      Enhanced Auditing
      Streamlined User Account Control
      Make the system work well for standard users
      Administrators use full privilege only for administrative tasks
      File and registry virtualization helps applications that are not UAC compliant
      XML based
      Granular audit categories
      Detailed collection of audit results
      Simplified compliance management
      Security Development Lifecycle process
      Kernel Patch Protection
      Windows Service Hardening
      DEP & ASLR
      IE 8 inclusive
      Mandatory Integrity Controls
    • 4. User Account Control
      Windows Vista
      System Works for Standard User
      All users, including administrators, run as Standard User by default
      Administrators use full privilege only for administrative tasks or applications
      Streamlined UAC
      Reduce the number of OS applications and tasks that require elevation
      Refactor applications into elevated/non-elevated pieces
      Flexible prompt behavior for administrators
      Challenges
      Customer Value
      User provides explicit consent before using elevated privilege
      Disabling UAC removes protections, not just consent prompt
      Users can do even more as a standard user
      Administrators will see fewer UAC Elevation Prompts
      Windows 7
    • 5. Desktop Auditing
      Windows Vista
      Enhanced Auditing
      New XML based events
      Fine grained support for audit of administrative privilege
      Simplified filtering of “noise” to find the event you’re looking for
      Tasks tied to events
      Simplified configuration results in lower TCO
      Demonstrate why a person has access to specific information
      Understand why a person has been denied access to specific information
      Track all changes made by specific people or groups
      Challenges
      Granular auditing complex to configure
      Auditing access and privilege use for a group of users
      Windows 7
    • 6. Securing Anywhere Access
      Network Security
      DirectAccessTM
      Network Access Protection
      Ensure that only “healthy” machines can access corporate data
      Enable “unhealthy” machines to get clean before they gain access
      Security protected, seamless, always on connection to corporate network
      Improved management of remote users
      Consistent security for all access scenarios
      Windows Firewall can coexist with 3rd party products
      Multi-Home Profiles
      DNSSec
    • 7. Network Access Protection
      Remediation
      Servers
      Example: Patch
      Restricted
      Network
      Corporate Network
      Policy Servers
      such as: Patch, AV
      Health policy validation and remediation
      Helps keep mobile, desktop and server devices in compliance
      Reduces risk from unauthorized systems on the network
      Not policy compliant
      Policy compliant
      DHCP, VPN
      Switch/Router
      Windows
      Client
      NPS
      Windows 7
    • 8. Remote Access for Mobile WorkersAccess Information Anywhere
      Situation Today
      DirectAccessTM
      Difficult for users to access corporate resources from outside the office
      Challenging for IT to manage, update, patch mobile PCs while disconnected from company network
      Same experience accessing corporate resources inside and outside the office
      Seamless connection increases productivity of mobile users
      Easy to service mobile PCs and distribute updates and polices
      Windows 7 Solution
    • 9. Protect Users & Infrastructure
      AppLockerTM
      Data Recovery
      Internet Explorer 8
      Protect users against social engineering and privacy exploits
      Protect users against browser based exploits
      Protect users against web server exploits
      File back up and restore
      CompletePC™ image-based backup
      System Restore
      Volume Shadow Copies
      Volume Revert
      Enables application standardization within an organization without increasing TCO
      Increase security to safeguard against data and privacy loss
      Support compliance enforcement
    • 10. Application Control
      Situation Today
      AppLockerTM
      Eliminate unwanted/unknown applications in your network
      Enforce application standardization within your organization
      Easily create and manage flexible rules using Group Policy
      Users can install and run non-standard applications
      Even standard users can install some types of software
      Unauthorized applications may:
      Introduce malware
      Increase helpdesk calls
      Reduce user productivity
      Undermine compliance efforts
      Windows 7 Solution
    • 11. AppLockerTM
      Technical Details
      Simple Rule Structure: Allow, Exception & Deny
      Publisher Rules
      Product Publisher, Name, Filename & Version
      Multiple Policies
      Executables, installers & scripts
      Rule creation tools & wizard
      Audit only mode
    • 12. Building on IE7 and addressing the evolving threat landscape
      Social Engineering & Exploits
      Reduce unwanted communications
      Freedom from intrusion
      International Domain Names
      Pop-up Blocker in IE7
      Increased usability
      Browser & Web Server Exploits
      Protection from deceptive websites, malicious code, online fraud, identity theft
      Protection from harm
      Secure Development Lifecycle
      Extended Validation (EV) SSL certs
      SmartScreen® Filter
      Domain Highlighting
      XSS Filter/ DEP/NX
      ActiveX Controls
      Choice and control
      Clear notice of information use
      Provide only what is needed
      Control of information
      User-friendly, discoverable notices
      P3P-enabled cookie controls
      Delete Browsing History
      InPrivate™ Browsing & Blocking
      Internet Explorer 8 Security
    • 13. Protect Data from Unauthorized Viewing
      RMS
      BitLocker
      EFS
      User-based file and folder encryption
      Ability to store EFS keys on a smart card
      Easier to configure and deploy
      Roam protected data between work and home
      Share protected data with co-workers, clients, partners, etc.
      Improve compliance and data security
      Policy definitionand enforcement
      Protects information wherever it travels
      Integrated RMS Client
      Policy-based protection of document libraries in SharePoint
    • 14. Data Protection Scenarios
    • 15. BitLocker
      Situation Today
      BitLocker To GoTM
      +
      Worldwide Shipments (000s)
      Extend BitLocker™ drive encryption to removable devices
      Create group policies to mandate the use of encryption and block unencrypted drives
      Simplify BitLocker setup and configuration of primary hard drive
      • Gartner “Forecast: USB Flash Drives, Worldwide, 2001-2011” 24 September 2007, Joseph Unsworth  
      • 16. Gartner “Dataquest Insight: PC Forecast Analysis, Worldwide, 1H08” 18 April 2008, Mikako Kitagawa, George Shiffler III 
      Windows 7 Solution
    • 17. BitLocker
      Technical Details
      BitLocker Enhancements
      Automatic 200 Mb hidden boot partition
      New Key Protectors
      Domain Recovery Agent (DRA)
      Smart card – data volumes only
      BitLocker To GoTM
      Support for FAT*
      Protectors: DRA, passphrase, smart card and/or auto-unlock
      Management: protector configuration, encryption enforcement
    • 18. Windows 7 Enterprise Security
      Building upon the security foundations of Windows Vista, Windows 7 provides IT Professionals security features that are simple to use, manageable, and valuable.
      Fundamentally Secure Platform
      Protect Users & Infrastructure
      Securing Anywhere Access
      Protect Data from Unauthorized Viewing
      Windows Vista Foundation
      Streamlined User Account Control
      Enhanced Auditing
      Network Security
      Network Access Protection
      DirectAccessTM
      AppLockerTM
      Internet Explorer 8
      Data Recovery
      RMS
      EFS
      BitLocker
    • 19. AD RMS & DLP
    • 20. Convergence of DLP and RMS
      Centralized Policy
      Policies Pushed into
      Infrastructure
      Enable advanced workflow
      Identify and Classify Data
      Leverage Controls to Protect Data
      Block
      Warn
      RMS
      Monitor
    • 21. First Step - RSA DLP Suite integrating with Microsoft AD RMS in DLP 6.5 Release (Dec 2008)
      Legal department
      RSA DLP
      Outside law firm
      Others
      1. RMS admin creates RMS templates for data protection
      Microsoft AD RMS
      Legal Department
      Outside law firm
      Others
      Legal
      Contracts
      RMS
      View, Edit, Print
      View
      No Access
      2. RSA DLP admin designs policies to find sensitive data and protect it using RMS
      Find Legal Contracts
      Contracts
      DLP Policy
      Apply Legal Contracts RMS
      3. RSA DLP discovers and classifies sensitive files
      5. Users request files - RMS provides policy based access
      4. RSA DLP applies RMS controls based on policy
      Laptops/desktops
      File shares
      SharePoint
      • Automate the application of AD RMS protection based on sensitive information identified by RSA DLP
      • 22. Leverage AD Groups for identity or group aware data loss prevention
    • Long term – Microsoft and RSA Building Information Protection into Infrastructure
      RSA DLP Enterprise Manager
      Add-on
      Policies
      RSA
      Microsoft
      Policies
      Microsoft Information Protection Management
      E-mail/UC
      Endpoint
      Network
      Apps
      FS/CMS
      Storage
      Built-in DLP
      Classification
      and RMS Controls
      Microsoft Environment and Applications
      RSA DLP
      Endpoint
      Complementary
      Platforms and
      functionality
      RSA DLP
      Network
      RSA DLP
      Datacenter
      • Common policies throughout infrastructure
      • 23. Built-in approach to protect data based on content, context, identity
      • 24. Future ready: Seamless upgrade path for current customers
    • © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
      The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

    ×