0
Enhance Security and Control<br />Azra Rizal<br />Security Advisor |   DP&E |   Microsoft Corporation<br />
Windows 7 Enterprise Security<br />Building upon the security foundations of Windows Vista, Windows 7 provides IT Professi...
Fundamentally Secure Platform<br />Windows Vista Foundation<br />Enhanced Auditing<br />Streamlined User Account Control<b...
User Account Control<br />Windows Vista<br />System Works for Standard User<br />All users, including administrators, run ...
Desktop Auditing<br />Windows Vista<br />Enhanced Auditing<br />New XML based events<br />Fine grained support for audit o...
Securing Anywhere Access<br />Network Security<br />DirectAccessTM<br />Network Access Protection<br />Ensure that only “h...
Network Access Protection<br />Remediation<br />Servers<br />Example: Patch<br />Restricted<br />Network<br />Corporate Ne...
Remote Access for Mobile WorkersAccess Information Anywhere<br />Situation Today<br />DirectAccessTM<br />Difficult for us...
Protect Users & Infrastructure<br />AppLockerTM<br />Data Recovery<br />Internet Explorer  8<br />Protect users against so...
Application Control<br />Situation Today<br />AppLockerTM<br />Eliminate unwanted/unknown applications in your network<br ...
AppLockerTM<br />Technical Details<br />Simple Rule Structure: Allow, Exception & Deny<br />Publisher Rules<br />Product P...
Building on IE7 and addressing the evolving threat landscape<br />Social Engineering & Exploits<br />Reduce unwanted commu...
Protect Data from Unauthorized Viewing<br />RMS<br />BitLocker<br />EFS<br />User-based file and folder encryption <br />A...
Data Protection Scenarios<br />
BitLocker<br />Situation Today<br />BitLocker To GoTM<br />+<br />Worldwide Shipments (000s)<br />Extend BitLocker™ drive ...
Gartner “Dataquest Insight: PC Forecast Analysis, Worldwide, 1H08” 18 April 2008, Mikako Kitagawa, George Shiffler III </l...
BitLocker<br />Technical Details<br />BitLocker Enhancements<br />Automatic 200 Mb hidden boot partition<br />New Key Prot...
Windows 7 Enterprise Security<br />Building upon the security foundations of Windows Vista, Windows 7 provides IT Professi...
AD RMS & DLP<br />
Convergence of DLP and RMS<br />Centralized Policy<br />Policies Pushed into<br />Infrastructure<br />Enable advanced work...
First Step - RSA DLP Suite integrating with Microsoft AD RMS in DLP 6.5 Release (Dec 2008)<br />Legal department<br />RSA ...
Leverage AD Groups for identity or group aware data loss prevention</li></li></ul><li>Long term – Microsoft and RSA Buildi...
Upcoming SlideShare
Loading in...5
×

Wave 14 - Winodws 7 Security Story Core by MVP Azra Rizal

599

Published on

Winodws 7 Security Story Core

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
599
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
38
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • One of the goals of Windows 7 is to enable users to access the information that they need whether they are in or out of the office. In the past few years, Microsoft has made getting to email from outside the office easier.  First we had Outlook Web Access, so we could access email through the web. Then we introduced RPC over HTTP, which just requires and internet connection to connect to the Exchange server.But users still have a challenge when accessing resources that are inside the corporate network. For example users cannot open the links to an internal Web site or share included in an email. The most common method to access these resources is VPN. VPN can be hard to use for users because it takes time and multiple steps to initiate the VPN connection and wait for the PC to be authenticated from the network. Hence, most remote users try to avoid VPN’ing as much as possible and stay disconnected from corporate network as much as they can. At this point we run into a chicken-egg problem: Since remote users are disconnected IT cannot service them while away from work – remote users stay more out of date and it gets harder and harder to access corporate resources… With the capabilities Windows 7 enables, users who have internet access will be automatically connected to their corporate network. A user who is sitting on a coffee shop can open his laptop, connect to the internet using the wireless access of the coffee shop and start working as if he is in the office. The user in this case will be able to not only use outlook, but also work with intranet sites, open corporate shares, use LOB applications, and basically have full access to corporate resources. Direct Access solution is also very appealing to IT Professionals:Servicing mobile users have been an issue since they could be disconnected from the corporate network for a long time. With Direct Access, as long as they have internet connectivity, users will be on corporate network. Servicing mobile users becomes (such as distributing updates and policies) is easier since they can be accessed more frequently. Deploying Windows 7 will not automatically enable this type of Work access connection. You will have the choice to enable it or not and it will require changes to your backend network infrastructure, including having some servers running Windows Server 2008 R2. But after it is implemented the solution will have a major impact on the way your mobile employees work.
  • The longer a computer has been deployed, the more the software on them drifts away from their desired configuration. These inconsistencies are greatly accelerated by installation and execution of non-standard software within the desktop environment. Users today bring software into the environment by bringing in software from home, Internet downloads (intended and not intended!), and through email. The result is higher incidence of malware infections, more help desk calls, and difficulty in ensuring that your PCs are running only approved, licensed software. Coupled with the required on compliance in the enterprise through OCI, SOX, HIPPA and other compliance regulations, enterprises are renewing efforts to lock down their desktops as a means to: Reduce total cost of ownership (TCO)Increase security to safeguard against data loss and the threat of IT theft and to secure privacySupport compliance solutions by validating which users can run specific applicationsWith Windows XP and Windows Vista, we gave IT administrators Software Restriction Policies to enable the definition of a relatively secure application lockdown policy. SRP has been utilized with tremendous success in many customer situations, but customers have requested more flexibility and control over the applications in their desktop environment.Windows 7 reenergizes application lockdown policies with a totally revamped set of capabilities in “Application Blocker”. “Application Blocker” provides a flexible mechanism that allows administrators to specify exactly what is allowed to run on their systems and gives users the ability to run applications, installation programs, and scripts that administrators have explicitly granted permission to execute. As a result, IT can enforce application standardization within their organization with minimal TCO implications.
  • “Application Blocker” provides a flexible mechanism that allows IT administrators to specify exactly which applications, install packages, and scripts are allowed to run on their systems. When enabled, the feature operates as an “allow list” by default. Users may only run applications, installation programs, and scripts that administrators have approved. Within these allow lists, IT administrators can call out exceptions to the allow list (e.g. allow everything in c:windowssystem32 to run, except the registry editor). In specific instances, where required, specific deny rules can also be enforced. “Application Blocker” enables IT to enforce application standardization within their organization with minimal cost implications. AppLocker enables IT administrators to manage applications beyond the traditional file name and hash mechanisms that are prevalent. This gives “Application Blocker” rules a resiliency throughout the software update lifecycle. For example, a rule could be written that says “allow all versions greater than 8.1 of the program Photoshop to run if it is signed by the software publisher Adobe.” Such a rule can be associated with existing security groups within an organization, providing controls that allow an organization to support compliance requirements by validating and enforcing which users can run specific applications.“Application Blocker” is a totally new feature that will only be available in the premium SKUs, while the legacy Software Restriction Policies will be available in the Business and Enterprise SKUs.
  • Let discuss these in greater detail with specific examples of what we have implemented in IE 7 as well as what is new in IE8, (in Red)
  • Transcript of "Wave 14 - Winodws 7 Security Story Core by MVP Azra Rizal"

    1. 1. Enhance Security and Control<br />Azra Rizal<br />Security Advisor | DP&E | Microsoft Corporation<br />
    2. 2. Windows 7 Enterprise Security<br />Building upon the security foundations of Windows Vista, Windows 7 provides IT Professionals security features that are simple to use, manageable, and valuable.<br />Fundamentally Secure Platform<br />Protect Users & Infrastructure<br />Securing Anywhere Access<br />Protect Data from Unauthorized Viewing<br />Windows Vista Foundation<br />Streamlined User Account Control<br />Enhanced Auditing<br />Network Security<br />Network Access Protection<br />DirectAccessTM<br />AppLockerTM<br />Internet Explorer 8<br />Data Recovery<br />RMS<br />EFS<br />BitLocker<br />
    3. 3. Fundamentally Secure Platform<br />Windows Vista Foundation<br />Enhanced Auditing<br />Streamlined User Account Control<br />Make the system work well for standard users<br />Administrators use full privilege only for administrative tasks<br />File and registry virtualization helps applications that are not UAC compliant <br />XML based<br />Granular audit categories<br />Detailed collection of audit results<br />Simplified compliance management<br />Security Development Lifecycle process<br />Kernel Patch Protection<br />Windows Service Hardening<br />DEP & ASLR<br />IE 8 inclusive<br />Mandatory Integrity Controls<br />
    4. 4. User Account Control<br />Windows Vista<br />System Works for Standard User<br />All users, including administrators, run as Standard User by default<br />Administrators use full privilege only for administrative tasks or applications<br />Streamlined UAC<br />Reduce the number of OS applications and tasks that require elevation<br />Refactor applications into elevated/non-elevated pieces<br />Flexible prompt behavior for administrators<br />Challenges<br />Customer Value<br />User provides explicit consent before using elevated privilege<br />Disabling UAC removes protections, not just consent prompt<br />Users can do even more as a standard user<br />Administrators will see fewer UAC Elevation Prompts<br />Windows 7<br />
    5. 5. Desktop Auditing<br />Windows Vista<br />Enhanced Auditing<br />New XML based events<br />Fine grained support for audit of administrative privilege<br />Simplified filtering of “noise” to find the event you’re looking for<br />Tasks tied to events<br />Simplified configuration results in lower TCO<br />Demonstrate why a person has access to specific information<br />Understand why a person has been denied access to specific information<br />Track all changes made by specific people or groups<br />Challenges<br />Granular auditing complex to configure<br />Auditing access and privilege use for a group of users<br />Windows 7<br />
    6. 6. Securing Anywhere Access<br />Network Security<br />DirectAccessTM<br />Network Access Protection<br />Ensure that only “healthy” machines can access corporate data<br />Enable “unhealthy” machines to get clean before they gain access <br />Security protected, seamless, always on connection to corporate network<br />Improved management of remote users <br />Consistent security for all access scenarios<br />Windows Firewall can coexist with 3rd party products<br />Multi-Home Profiles<br />DNSSec<br />
    7. 7. Network Access Protection<br />Remediation<br />Servers<br />Example: Patch<br />Restricted<br />Network<br />Corporate Network<br />Policy Servers<br />such as: Patch, AV<br />Health policy validation and remediation<br />Helps keep mobile, desktop and server devices in compliance<br />Reduces risk from unauthorized systems on the network<br />Not policy compliant<br />Policy compliant<br />DHCP, VPN<br />Switch/Router <br />Windows<br />Client<br />NPS<br />Windows 7<br />
    8. 8. Remote Access for Mobile WorkersAccess Information Anywhere<br />Situation Today<br />DirectAccessTM<br />Difficult for users to access corporate resources from outside the office<br />Challenging for IT to manage, update, patch mobile PCs while disconnected from company network<br />Same experience accessing corporate resources inside and outside the office<br />Seamless connection increases productivity of mobile users<br />Easy to service mobile PCs and distribute updates and polices<br />Windows 7 Solution<br />
    9. 9. Protect Users & Infrastructure<br />AppLockerTM<br />Data Recovery<br />Internet Explorer 8<br />Protect users against social engineering and privacy exploits<br />Protect users against browser based exploits<br />Protect users against web server exploits<br />File back up and restore<br />CompletePC™ image-based backup <br />System Restore<br />Volume Shadow Copies<br />Volume Revert <br />Enables application standardization within an organization without increasing TCO<br />Increase security to safeguard against data and privacy loss<br />Support compliance enforcement<br />
    10. 10. Application Control<br />Situation Today<br />AppLockerTM<br />Eliminate unwanted/unknown applications in your network<br />Enforce application standardization within your organization<br />Easily create and manage flexible rules using Group Policy<br />Users can install and run non-standard applications<br />Even standard users can install some types of software<br />Unauthorized applications may:<br />Introduce malware<br />Increase helpdesk calls<br />Reduce user productivity<br />Undermine compliance efforts<br />Windows 7 Solution<br />
    11. 11. AppLockerTM<br />Technical Details<br />Simple Rule Structure: Allow, Exception & Deny<br />Publisher Rules<br />Product Publisher, Name, Filename & Version<br />Multiple Policies<br />Executables, installers & scripts<br />Rule creation tools & wizard<br />Audit only mode<br />
    12. 12. Building on IE7 and addressing the evolving threat landscape<br />Social Engineering & Exploits<br />Reduce unwanted communications<br />Freedom from intrusion<br />International Domain Names<br />Pop-up Blocker in IE7<br />Increased usability <br />Browser & Web Server Exploits<br />Protection from deceptive websites, malicious code, online fraud, identity theft<br />Protection from harm<br />Secure Development Lifecycle<br />Extended Validation (EV) SSL certs<br />SmartScreen® Filter<br />Domain Highlighting<br />XSS Filter/ DEP/NX<br />ActiveX Controls<br />Choice and control<br />Clear notice of information use<br />Provide only what is needed<br />Control of information<br />User-friendly, discoverable notices<br />P3P-enabled cookie controls<br />Delete Browsing History<br />InPrivate™ Browsing & Blocking<br />Internet Explorer 8 Security<br />
    13. 13. Protect Data from Unauthorized Viewing<br />RMS<br />BitLocker<br />EFS<br />User-based file and folder encryption <br />Ability to store EFS keys on a smart card<br />Easier to configure and deploy<br />Roam protected data between work and home<br />Share protected data with co-workers, clients, partners, etc.<br />Improve compliance and data security<br />Policy definitionand enforcement<br />Protects information wherever it travels<br />Integrated RMS Client <br />Policy-based protection of document libraries in SharePoint<br />
    14. 14. Data Protection Scenarios<br />
    15. 15. BitLocker<br />Situation Today<br />BitLocker To GoTM<br />+<br />Worldwide Shipments (000s)<br />Extend BitLocker™ drive encryption to removable devices<br />Create group policies to mandate the use of encryption and block unencrypted drives <br />Simplify BitLocker setup and configuration of primary hard drive<br /><ul><li>Gartner “Forecast: USB Flash Drives, Worldwide, 2001-2011” 24 September 2007, Joseph Unsworth  
    16. 16. Gartner “Dataquest Insight: PC Forecast Analysis, Worldwide, 1H08” 18 April 2008, Mikako Kitagawa, George Shiffler III </li></ul>Windows 7 Solution<br />
    17. 17. BitLocker<br />Technical Details<br />BitLocker Enhancements<br />Automatic 200 Mb hidden boot partition<br />New Key Protectors<br />Domain Recovery Agent (DRA)<br />Smart card – data volumes only<br />BitLocker To GoTM<br />Support for FAT*<br />Protectors: DRA, passphrase, smart card and/or auto-unlock<br />Management: protector configuration, encryption enforcement<br />
    18. 18. Windows 7 Enterprise Security<br />Building upon the security foundations of Windows Vista, Windows 7 provides IT Professionals security features that are simple to use, manageable, and valuable.<br />Fundamentally Secure Platform<br />Protect Users & Infrastructure<br />Securing Anywhere Access<br />Protect Data from Unauthorized Viewing<br />Windows Vista Foundation<br />Streamlined User Account Control<br />Enhanced Auditing<br />Network Security<br />Network Access Protection<br />DirectAccessTM<br />AppLockerTM<br />Internet Explorer 8<br />Data Recovery<br />RMS<br />EFS<br />BitLocker<br />
    19. 19. AD RMS & DLP<br />
    20. 20. Convergence of DLP and RMS<br />Centralized Policy<br />Policies Pushed into<br />Infrastructure<br />Enable advanced workflow<br />Identify and Classify Data<br />Leverage Controls to Protect Data<br />Block<br />Warn<br />RMS<br />Monitor<br />
    21. 21. First Step - RSA DLP Suite integrating with Microsoft AD RMS in DLP 6.5 Release (Dec 2008)<br />Legal department<br />RSA DLP<br />Outside law firm<br />Others<br />1. RMS admin creates RMS templates for data protection<br />Microsoft AD RMS<br />Legal Department<br />Outside law firm<br />Others<br />Legal<br />Contracts<br />RMS<br />View, Edit, Print<br />View<br />No Access<br />2. RSA DLP admin designs policies to find sensitive data and protect it using RMS<br />Find Legal Contracts<br />Contracts<br />DLP Policy<br />Apply Legal Contracts RMS<br />3. RSA DLP discovers and classifies sensitive files<br />5. Users request files - RMS provides policy based access<br />4. RSA DLP applies RMS controls based on policy<br />Laptops/desktops<br />File shares<br />SharePoint<br /><ul><li>Automate the application of AD RMS protection based on sensitive information identified by RSA DLP
    22. 22. Leverage AD Groups for identity or group aware data loss prevention</li></li></ul><li>Long term – Microsoft and RSA Building Information Protection into Infrastructure<br />RSA DLP Enterprise Manager<br />Add-on<br />Policies<br />RSA<br />Microsoft<br />Policies<br />Microsoft Information Protection Management<br />E-mail/UC<br />Endpoint<br />Network<br />Apps<br />FS/CMS<br />Storage<br />Built-in DLP<br />Classification<br />and RMS Controls<br />Microsoft Environment and Applications<br />RSA DLP<br />Endpoint<br />Complementary<br />Platforms and<br />functionality<br />RSA DLP<br />Network<br />RSA DLP<br />Datacenter<br /><ul><li>Common policies throughout infrastructure
    23. 23. Built-in approach to protect data based on content, context, identity
    24. 24. Future ready: Seamless upgrade path for current customers</li></li></ul><li>© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.<br />The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.<br />
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×