Windows Server 2008 Security Enhancements


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Windows Server 2008 Security Enhancements

  1. 1. Security Enhancement<br />NarendaWicaksono<br />IT Pro Advisor, Microsoft Indonesia<br />
  2. 2. Agenda<br />Security Fundamentals<br />Threat and Vulnerability Mitigation<br />Identity and Access Control<br />Compliance Enhancements<br />Technology Coverage<br />Read Only Domain Controller, <br />Bit Locker, Service Hardening, <br />Server Core, <br />Device Installation, <br />Next Gen firewall, <br />NAP and Terminal Services/RDP changes, <br />Rights management, … and more<br />
  3. 3. SECURITY: <br />FUNDAMENTALS<br />THREAT & VULNERABILITY MITIGATION<br />Network Access Protection<br />Read-Only Domain Controller<br />Enhanced Auditing<br />Server and Domain Isolation<br />Security Development Lifecycle<br />Windows Service Hardening<br />Next Generation Crypto<br />PKI Enhancements<br />IDENTITY &<br />ACCESS CONTROL<br />COMPLIANCE ENHANCEMENTS<br />BitLocker™ Drive Encryption<br />EFS Smartcards<br />Rights Management Server<br />Removable Device Control<br />Active Directory Federation Services<br />Plug and Play Smartcards<br />Granular Auditing<br />Granular Password Control <br />Security and Compliance<br />
  4. 4. Security Fundamentals<br />
  5. 5. Security Development Lifecycle<br />Mandated development process for Windows Server and Windows Vista <br />Periodic mandatory security training<br />Assignment of security advisors for all components <br />Threat modeling as part of design phase<br />Security reviews and testing built into the schedule<br />Security metrics for product teams<br />Common Criteria (CC) Certification<br />
  6. 6. Windows Service HardeningDefense-in-Depth / Factoring<br />D<br />D<br />D<br />D<br />D<br />D<br />D<br />D<br />Reduce size ofhigh risk layers<br />Segment theservices<br />Increase # of layers<br />Service <br />1<br />Service <br />…<br />Service <br />2<br />Service…<br />Service <br />A<br />Service <br />3<br />Service <br />B<br />Kernel Drivers<br />User-mode Drivers<br />
  7. 7. Server Core<br />Minimal installation option<br />Low surface area<br />Command line interface<br />Limited set of server roles<br />SERVER, SERVER ROLES (for example only)<br />TS<br />IAS<br />WebServer<br />SharePoint<br />Etc…<br />SERVER<br />With WinFx, Shell, Tools, etc.<br />SERVER CORE SERVER ROLES<br />DNS<br />DHCP<br />File<br />AD<br />WV<br />IIS<br />SERVER CORE<br />Security, TCP/IP, File Systems, RPC,plus other Core Server Sub-Systems<br />GUI, CLR, Shell, IE, Media, OE, etc.<br />
  8. 8. Windows Server 2008 Services<br />
  9. 9. Cryptography Next Generation (CNG) <br />Cryptography Next Generation<br />Includes algorithms for encryption, digital signatures, key exchange, and hashing<br />Supports cryptography in kernel mode<br />Supports the current set of CryptoAPI 1.0 algorithms<br />Support for elliptic curve cryptography (ECC) algorithms<br />Perform basic cryptographic operations, such as creating hashes and encrypting and decrypting data<br />
  10. 10. PKI Enhancements<br />Online Certificate Status Protocol (OSCP)<br />Enterprise PKI (PKIView)<br />Network Device Enrollment Service and Simple Certificate Enrollment Protocol<br />Web Enrollment<br />
  11. 11. Windows Server Firewall<br />More Control<br />Combined firewall and IPsec management<br />
  12. 12. Windows Server Firewall<br />More Control<br />Firewall rules become more intelligent<br />
  13. 13. Windows Server Firewall<br />More Control<br />Firewall rules become more intelligent<br />
  14. 14. Windows Server Firewall<br />More Control<br />Firewall rules become more intelligent<br />
  15. 15. Windows Server Firewall<br />More Control<br />Policy-based networking<br />
  16. 16. Enhancing and Simplifying IPsec<br />
  17. 17. Threat and Vulnerability Mitigation<br />
  18. 18. Servers with Sensitive Data<br />Server Isolation<br />HR Workstation<br />Managed Computer<br />Domain Isolation<br />Domain Isolation<br />Managed Computer<br />Active Directory Domain Controller<br />Corporate Network<br />Trusted Resource Server<br />X<br />Unmanaged/Rogue Computer<br />X<br />Untrusted<br />Server and Domain Isolation<br />
  19. 19. POLICY SERVERS<br />e.g. MSFT Security Center, SMS, Antigenor 3rd party <br />Fix Up<br />Servers<br />e.g. MSFT WSUS, SMS & 3rd party<br />Restricted<br />Network<br />CORPORATE NETWORK<br />Network Access ProtectionWindows Server 2008<br />3<br />Not policy compliant<br />1<br />2<br />4<br />MSFT<br />Network<br />Policy Server <br />Windows<br />Vista Client<br />Policy compliant<br />DHCP, VPN<br />Switch/Router<br />5<br />Enhanced Security<br />All communications are authenticated, authorized & healthy<br />Defense-in-depth on your terms with DHCP, VPN, IPsec, 802.1X<br />Policy-based access that IT Pros can set and control<br />BENEFITS<br />Increased Business Value<br />Preserves user productivity <br />Extends existing investments in Microsoft and 3rd party infrastructure <br />Broad industry partnership<br />
  20. 20. Read-Only Domain Controller<br />Read-Only Copy of AD Database<br />Can Hold all Directory Objects & Attributes<br />Maintains Read-Only Copy of DNS Zones<br />HUB<br /> Writeable DC<br /> Secure Location<br />Unidirectional Replication<br />No Local Changes – Pull from Upstream Only<br />Controlled Replication - Limits Bandwidth Use<br />Credential Handling<br />Can Cache User Passwords (Explicitly Set)<br />Admin Knowledge of Accounts if Compromised<br />RODC May Only Issue Local Auth Tickets<br />Branch<br />Administrative Role Separation<br />Management Delegated to Local User<br />No Enterprise or Domain DC Membership<br /> Read-Only DC<br /> Read-Only DNS<br /> One-way Replication<br /> Credential Cache<br /> Local Admin Role<br /><br />
  21. 21. How RODC Works<br />AS_Req sent to RODC (request for TGT)<br />1<br />2<br />RODC: Looks in DB: &quot;I don&apos;t have the users secrets&quot;<br />3<br />Hub<br />Branch<br />Forwards Request to Windows Server &quot;Longhorn&quot; DC<br />3<br />7<br />Windows Server &quot;Longhorn&quot; DC<br />Read Only DC<br />Windows Server &quot;Longhorn&quot; DC authenticates request<br />4<br />4<br />2<br />5<br />Returns authentication response and TGT back to the RODC<br />5<br />1<br />RODC gives TGT to User and RODC will cache credentials<br />6<br />6<br />At this point the user will have a hub signed TGT<br />7<br />
  22. 22. Read-only DC Mitigates Stolen DC<br />Attacker Perspective<br />
  23. 23. Read-only DC Mitigates Stolen DC<br />Hub Admin Perspective<br />
  24. 24. Improved Auditing<br />More Granularity<br />Support for many auditing subcategories: Logon, logoff, file system access, registry access, use of administrative privilege, Active Directory<br />Captures the Who, the What, & the When<br />From and To Values for Objects or Attributes<br />Logs All – Creates, Modifies, Moves, Deletes<br />New Logging Infrastructure<br />Easier to filter out “noise” in logs<br />Tasks tied to events: When an event occurs tasks such as sending an Email to an auditor can run automatically<br />
  25. 25. Identity and Access Control<br />
  26. 26. Active Directory Federation Services<br />Full implementation of a ‘claims-based’ architecture based on WS-Federation<br />Fully integrated with Active Directory<br />Supports group, role and rules-based models<br />Partner Value Add<br />BMC, Centrify & Quest: Multi-platform support<br />Business Benefits<br />Enables new models for cross-company single sign-on systems <br />Facilitates single-sign across Windows and non-Windows environments<br />Reduces the risk of unauthorized access by eliminating the need for cross-company synchronization of user and rights information<br />
  27. 27. Authentication Improvements<br />Plug and Play Smart Cards<br />Drivers and Certificate Service Provider (CSP) included<br />Login and credential prompts for User Account Control all support Smart Cards<br />New logon architecture<br />GINA (the old Windows logon model) is gone <br />Third parties can add biometrics, one-time password tokens, and other authentication methods with much less coding<br />
  28. 28. Granular Policy Control<br />Allows to set Password Policies on Users and/or Groups (different from the domain‘s Password Policies)<br />Big Win for Customers:Requirements for different Password Policies do not result in deploying multiple domains anymore<br />New Object-Type in Active Directory, the Password Settings Object<br />Password Settings are configured using those Objects in the Password Settings Container<br />
  29. 29. ComplianceEnhancements<br />
  30. 30. AD Rights Management Services<br />AD RMS protects access to an organization’s digital files<br />AD RMS in Windows Server &quot;Longhorn&quot; includes several new features<br />Improved installation and administration experience<br />Self-enrollment of the AD RMS cluster<br />Integration with AD FS<br />New AD RMS administrative roles<br />SQL Server<br />Active Directory<br />RMS Server<br />1<br />3<br />2<br />Information Author<br />The Recipient<br />
  31. 31. BitLocker™ Drive Encryption <br />Full Volume Encryption Key (FVEK)<br />Encryption Policy <br />Group Policy allows central encryption policy and provides Branch Office protection<br />Provides data protection, even when the system is in unauthorized hands or is running a different or exploiting Operating System<br />Uses a v1.2 TPM or USB flash drive for key storage<br />
  32. 32. Information Protection<br />Who are you protecting against?<br />Other users or administrators on the machine? EFS<br />Unauthorized users with physical access? BitLocker™<br />Some cases can result in overlap. (e.g. Multi-user roaming laptops with untrusted network admins)<br />
  33. 33. Removable Device Installation Control<br />Benefits:<br />Reduced Support Costs<br />Reduced Risk of Data Theft<br />Scenarios:<br />Prevent installation of all devices<br />Allow installation of only allowed devices<br />Prevent installation of only prohibited devices <br />
  34. 34. Learning curriculum<br />Hands on lab<br />Sample codes<br />Videos<br />Slides<br />E-Certification<br />Online Assessment<br />
  35. 35. eBooks in Bahasa<br />
  36. 36. Indonesia Developer Portal<br /><br />
  37. 37. IT Professional Portal<br /><br />
  38. 38. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.<br />The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.<br />