Published on

1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • TechEd 2006 - Securing your Data with Microsoft Technologies EFS, RMS, Full Volume Encryption, SQL 2005 - lots of encryption for overlapping sets of data. Which do you use, when and why? This talk will help you understand the common security basis for all these technologies, and then discuss the different threats for which each is and isn't suitable. Next we'll examine the best configuration settings to get the maximum security benefit for your organization, and finally look at current security attack scenarios and which security technologies will actually help protect your data against such attacks.
  • Plus all the supporting technologies: CSPs, password hashing (LM, NTLM), cached password verifiers, SYSKEY, DPAPI, managed DPAPI classes…
  • Statistics on where the most data is stored in the least-well-protected systems Clients (notebooks, desktops) Servers (branch office, data center) removable storage (flash, USB, DVD-RW) Mobile devices (phone, PDA, UMPC) Managing risk = focus attention on greatest exposures first – don’t try to solve problem all at once Server roles: F&P, email, docman/collab, RDBMS, SAN, HSM
  • Documents - it may sound simple but in reality, many orgs have different standard locations for users’ docs -root folder, redirect to server , Separate partition, -plus all the app-specific data locations (e.g. desktop search, MSDE/Access)
  • These are the most common
  • Hey Mike, are you dreaming? We aren’t running Vista in our organizations. “ Better passwords” = longer passphrases – then ditch the complexity Per-PC smartcard logon – XPSP2 Group Policy aka “Interactive logon: require smart card” If you believe every person that finds a lost laptop from your org is an uber-hacker just waiting to find some secrets company documents, well… then maybe you work for Microsoft.  Hiberfile – encrypted in XPSP2
  • Bonus: encryption on physical media reduces the risk of accidentally left-behind CDs, USB drives, etc. allowing malicious people to find sensitive data on devices that become separated from the computer.
  • Best-fit solutions are also known as “point solutions” or “as good as you can get for now”.
  • Sample IRM UI if needed or if demo’s not possible
  • Sample IRM UI if needed or if demo’s not possible
  • SEC301

    1. 1. Securing Your Data with Microsoft Technologies Mike Smith-Lonergan Sr. Technical Program Manager Microsoft Corporation [email_address]
    2. 2. What you can expect Today <ul><li>Our current thinking on Scenarios & Solutions </li></ul><ul><li>What technologies to use where and why </li></ul><ul><li>60 minutes for discussion & quick demo </li></ul><ul><li>15 minutes for questions at the end </li></ul>
    3. 3. Why Am I Talking To You About This? <ul><li>“When should I use X?” </li></ul><ul><ul><li>EFS, RMS, S/MIME, BDE, XPS, CAPI, CAPICOM, CAPI-NG, WS-Sec, Smart Cards… </li></ul></ul><ul><li>“What is the right encryption to use?” </li></ul><ul><li>“Give me a strategic direction” </li></ul>
    4. 4. Where is your Data Stored? <ul><li>Q: Where is your biggest security exposure? </li></ul><ul><li>Trick question! </li></ul>SQL
    5. 5. Clients <ul><li>Documents </li></ul><ul><ul><li>Where do your users keep their documents? </li></ul></ul><ul><li>User Profile </li></ul><ul><ul><li>Outlook, Sharepoint, Desktop, Temp </li></ul></ul><ul><li>per-machine data </li></ul><ul><ul><li>Search index, file cache </li></ul></ul>
    6. 6. Servers <ul><li>File Shares </li></ul><ul><li>Collaboration store (e.g. Sharepoint) </li></ul><ul><li>RDBMS (e.g. SQL) </li></ul><ul><li>Mail (e.g. Exchange) </li></ul><ul><li>SAN </li></ul><ul><li>HSM </li></ul><ul><li>Enterprise backup </li></ul><ul><li>Where ISN’T Data stored? </li></ul>SQL
    7. 7. Big Picture…
    8. 8. What Technologies Can Be Used? <ul><li>ACLs </li></ul><ul><li>Rights Management (eek!) </li></ul><ul><li>Role-based Access </li></ul><ul><li>System encryption </li></ul><ul><li>Application encryption </li></ul>
    9. 9. ACLs <ul><li>Classic approach </li></ul><ul><li>Configuring: </li></ul><ul><ul><li>Windows Explorer, cacls.exe </li></ul></ul><ul><ul><li>Group Policy/Secedit </li></ul></ul><ul><ul><li>NEW! .NET Framework 2.0 (SDDL) </li></ul></ul><ul><li>Good: protect against online/remote attackers </li></ul><ul><li>Bad: protecting against local Admins </li></ul><ul><li>Ugly: protecting against offline attacks </li></ul>
    10. 10. ACLs example: File server <ul><li>Uses AD, Group Policy, Windows client </li></ul><ul><li>Goal: users cannot see each others’ files </li></ul><ul><li>Server shares folder erverHome </li></ul><ul><ul><li>Share permissions = Users: Change </li></ul></ul><ul><li>Folder root permissions allow: </li></ul><ul><ul><li>Users: Traverse folder, List folder, Create folders, Read (This folder only) </li></ul></ul><ul><ul><li>Creator/owner: Change (Subfolders and files only) </li></ul></ul><ul><li>Result: </li></ul><ul><ul><li>User creates new folder </li></ul></ul><ul><ul><li>Can do anything they want with that folder </li></ul></ul><ul><ul><li>No other user can see inside that folder </li></ul></ul>
    11. 11. Rights Management <ul><li>The “ACL” goes wherever the document goes </li></ul><ul><li>Combines encryption with policy enforcement </li></ul><ul><li>Good: protecting against offline, online attacks </li></ul><ul><li>Bad: protecting against Super Users </li></ul><ul><li>Ugly: protecting against Active Directory admins </li></ul>
    12. 12. Roles-based access (RBAC) <ul><li>Idealized approach </li></ul><ul><li>Must combine with other tech </li></ul><ul><ul><li>ACLs </li></ul></ul><ul><ul><li>Encryption </li></ul></ul><ul><ul><li>Rights Management </li></ul></ul><ul><ul><li>App-specific authorization (e.g. SQL, Exchange) </li></ul></ul><ul><li>Issues: </li></ul><ul><ul><li>Every Windows app has a different approach </li></ul></ul><ul><ul><li>Still no better against offline attacks </li></ul></ul>AD
    13. 13. RBAC scenario: rights management <ul><li>Leverage Active Directory, RMS, Office </li></ul><ul><li>Assign users to groups (roles) in AD </li></ul><ul><li>RMS Templates assign rights to groups </li></ul><ul><li>Use RMS-enabled app (e.g. Office) to assign rights via templates </li></ul><ul><li>RMS server and client grant limited access to documents </li></ul>
    14. 14. Corporate Intranet <ul><li>Assume author is already bootstrapped with a RAC and CLC </li></ul><ul><li>Author creates mail </li></ul><ul><li>Author protects mail using RAC and CLC </li></ul><ul><li>Author sends mail to recipient </li></ul><ul><li>Recipient contacts AD for service discovery </li></ul><ul><li>Recipient gets bootstrapped from RMS </li></ul><ul><li>Recipient gets use license from RMS </li></ul><ul><li>Recipient can access content </li></ul>Intranet / VPN scenario Publishing and consumption Internet 2 RAC CLC 1 RAC CLC 6 8 UL 7 4 5 RMS SCP: http://... PL 3 RMS AD
    15. 15. System encryption <ul><li>Encrypt each file = Encrypting File System (EFS) </li></ul><ul><li>Encrypt each sector = BitLocker Drive Encryption (BDE) </li></ul><ul><li>Good: protect against offline attack </li></ul><ul><li>Bad: doesn’t protect against user error </li></ul><ul><li>Ugly: doesn’t protect between systems </li></ul>
    16. 16. (BitLocker Data Encryption) (Encrypting File System) (Rights Management Services) BDE, EFS & RMS
    17. 17. Application Encryption <ul><li>Leverage each app’s data protection approach </li></ul><ul><li>“ Every” app has its own approach, e.g. Outlook S/MIME, SQL Server, Office, Winzip </li></ul><ul><li>Good: there’s encryption </li></ul><ul><li>Bad: hard to manage </li></ul><ul><li>Ugly: brutal to manage across the enterprise </li></ul>SQL
    18. 18. App example: SQL 2005 <ul><li>SQL 2005 uses DPAPI </li></ul><ul><ul><li>Comparable to EFS </li></ul></ul><ul><li>Multiple layers of keys </li></ul><ul><ul><li>Partition access </li></ul></ul><ul><li>Encrypt instances, databases, tables with separate keys </li></ul><ul><li>Leverage HSM @ server level </li></ul><ul><li>Advantages: keys managed with data, max perf, uses system libraries </li></ul><ul><li>Disadvantages: Server & DB Ops can get keys </li></ul>SQL
    19. 19. Scenarios <ul><li>Loss or Theft of PC </li></ul><ul><ul><li>aka “notebook in taxi” </li></ul></ul><ul><li>Reduced data leaks </li></ul><ul><ul><li>aka “whoopsie” </li></ul></ul><ul><li>Server-side encryption </li></ul><ul><ul><li>aka “untrustworthy Admins” </li></ul></ul><ul><li>End-to-end encryption </li></ul><ul><ul><li>aka “regulatory compliance” </li></ul></ul>
    20. 20. (1) Loss or Theft of PC <ul><li>Threat: Attackers with infinite time, many tools, well-documented attack techniques </li></ul><ul><li>Goal: mitigate the risk of Data exposure </li></ul><ul><ul><li>Reduce the risk, NOT eliminate </li></ul></ul><ul><li>Good </li></ul><ul><ul><li>Application Encryption </li></ul></ul><ul><li>Better </li></ul><ul><ul><li>Minimize the stored data </li></ul></ul><ul><ul><li>System Encryption </li></ul></ul><ul><li>Don't bother with ACLs, RBAC, DRM </li></ul>
    21. 21. (1) Loss or Theft of PC <ul><li>EFS </li></ul><ul><ul><li>Mitigates offline attacks except against user account </li></ul></ul><ul><ul><li>Prevents online attacks (on encrypted files) </li></ul></ul><ul><ul><li>Threats focus on user’s password </li></ul></ul><ul><li>BitLocker with TPM or USB (Vista) </li></ul><ul><ul><li>Prevents offline attacks (replace passwords, copy hashes, change system files) </li></ul></ul><ul><ul><li>Threats focus on user logons </li></ul></ul><ul><li>Ideal: BitLocker with TPM + EFS with Smart Card (Vista) </li></ul><ul><ul><li>Attacker with notebook + Smart Card needs PIN (not password) </li></ul></ul><ul><ul><li>After “x” bad tries, Smart Card locked FOREVER </li></ul></ul>
    22. 22. (1) Loss or Theft of PC <ul><li>Reality check: Windows XP today </li></ul><ul><li>Attack focus: user passwords, cleartext data </li></ul><ul><li>Tactics: </li></ul><ul><ul><li>Better passwords/phrases </li></ul></ul><ul><ul><li>Encrypt significant sets of data </li></ul></ul><ul><ul><ul><li>EFS for Documents, email, desktop, TIF, server caches </li></ul></ul></ul><ul><ul><li>Smartcard logon per-PC </li></ul></ul><ul><li>Residual risk: pagefile fragments, hiberfile, cached logon verifiers </li></ul>
    23. 23. (2) Reduced data leaks <ul><li>Threat: Authorized users with legit access giving data to others </li></ul><ul><li>Goal: mitigate the risk of spread of data </li></ul><ul><ul><li>Reduce, NOT eliminate </li></ul></ul><ul><li>Good </li></ul><ul><ul><li>ACLs, Role-based Access </li></ul></ul><ul><li>Better </li></ul><ul><ul><li>DRM, Application encryption </li></ul></ul><ul><li>Don't bother with System encryption </li></ul>
    24. 24. (2) Reduced data leaks <ul><li>ACL shared files on servers with RBAC groups </li></ul><ul><ul><li>Prevents users from granting each other permissions </li></ul></ul><ul><li>Leverage a rights management technology </li></ul><ul><ul><li>Reduces the amount of unprotected files </li></ul></ul><ul><li>Ideal: RM automatically assigned (RMS partners) </li></ul><ul><ul><li>Enforces RM protection according to pre-defined business rules </li></ul></ul><ul><li>Bonus: encryption on physical media </li></ul><ul><li>Bonus: removable media policy (Vista) </li></ul>
    25. 25. (2) Reduced data leaks <ul><li>Reality check: user-initiated RMS is unreliable </li></ul><ul><li>Risk focus: leaks to outsiders </li></ul><ul><li>Tactics: </li></ul><ul><ul><li>“ do not forward” emails from execs, legal, R&D </li></ul></ul><ul><ul><li>RMS automation on servers (future) </li></ul></ul><ul><ul><li>Converting AD roles to security-enabled Distribution Groups </li></ul></ul><ul><ul><li>Experiment with WinFX, Print-to-XPS </li></ul></ul>
    26. 26. (3) Server-Side Encryption <ul><li>Threat: some Admins have or grant themselves access with no oversight or detection </li></ul><ul><li>Goal: mitigate the risk of widespread leaks </li></ul><ul><ul><li>Reduce, NOT eliminate </li></ul></ul><ul><li>Good </li></ul><ul><ul><li>Role-based Access </li></ul></ul><ul><li>Better </li></ul><ul><ul><li>System encryption, Application encryption, ERM </li></ul></ul><ul><li>Don't Bother with ACLs </li></ul>
    27. 27. (3) Server-Side Encryption <ul><li>Roles-based access on all servers (and clients) </li></ul><ul><ul><li>Prevents Admins from unaudited access to data </li></ul></ul><ul><li>EFS, BitLocker, RMS with central keys managed elsewhere </li></ul><ul><ul><li>Reduces opportunity for quick access to protected data </li></ul></ul><ul><ul><li>Threats switch to impersonating users </li></ul></ul><ul><li>Bonus: audit for Object Access (Take Ownership, Change Permissions), Policy Change, System Events </li></ul><ul><li>Bonus: role-separated audit collection </li></ul>
    28. 28. (4) End-to-end encryption <ul><li>Challenges </li></ul><ul><li>Approaches </li></ul><ul><li>Futures </li></ul>
    29. 29. (4) End to End: Challenges <ul><li>Lack of product integration </li></ul><ul><li>Key management </li></ul><ul><ul><li>Keep keys close to data (performance, portability)? </li></ul></ul><ul><ul><li>Keep keys far from data (security, administration)? </li></ul></ul><ul><li>Cross-platform issues </li></ul><ul><li>Managing transitions between systems, applications and organizations </li></ul>
    30. 30. (4) End to End: Approaches <ul><li>Standard algorithms </li></ul><ul><li>Third-party products </li></ul><ul><li>Best-fit solutions </li></ul><ul><li>Mitigate greatest exposures first </li></ul>
    31. 31. (4) End to End: Futures <ul><li>“ information protection platform” </li></ul><ul><ul><li>Possibly integrate EFS, RMS, NGSCB </li></ul></ul><ul><li>WS-Sec (and other standards) </li></ul><ul><li>.NET Framework 3.0 (WinFX) </li></ul><ul><li>IPv6 </li></ul>
    32. 32. Beyond Microsoft technologies <ul><li>Pervasive hardware-integrated crypto </li></ul><ul><li>ISV encryption </li></ul><ul><li>ISV rights management </li></ul><ul><li>Smart cards </li></ul><ul><li>other multi-factor access control </li></ul>
    33. 33. Calls to Action <ul><li>Fill out the Survey – Please! </li></ul><ul><li>Give me specific feedback: </li></ul><ul><ul><li>Guidance you need for Protecting Data with Microsoft technologies </li></ul></ul><ul><ul><li>What bugs you about the current product “stack” </li></ul></ul><ul><li>Send me email: [email_address] </li></ul><ul><li>When you get home… </li></ul><ul><li>IT: Plan your AD schema upgrade! </li></ul><ul><li>Dev: Download WinFX </li></ul>
    34. 34. Want More of Us? <ul><li>Breakout Session: Regulatory Compliance </li></ul><ul><ul><li>SEC211 with Bill Canning </li></ul></ul><ul><ul><li>WED 8:30am </li></ul></ul><ul><li>CIS or Security Booth in TLC “Red” </li></ul><ul><li>TechEd Connect </li></ul><ul><li>AND… </li></ul><ul><li>Focus Group: Data Protection (drop me a business card) </li></ul>
    35. 35. Resources User Groups usergroups/default.mspx Technical Community Sites default.mspx Newsgroups communities/newsgroups/en-us/ default.aspx Virtual Labs traincert/virtuallab/rms.mspx MSDN & TechNet Microsoft Learning and Certification default.mspx Technical Chats and Webcasts default.mspx webcasts/default.asp
    36. 36. Fill out a session evaluation on CommNet and Win an XBOX 360!
    37. 37. © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
    38. 38. Add users with Read and Change permissions Verify aliases & DLs via AD Add advanced permissions
    39. 39. Set expiration date Enable print, copy permissions Add/remove additional users Contact for permission requests Enable viewing via RMA
    40. 40. Safeguarding Confidential Data Comparison of Technologies Used to Safeguard Confidential Data Yes ** No Yes No Yes Extends protection beyond initial publication location No Yes * No No Yes Controls content access to reading, forwarding, saving, modifying, or printing by consumer No No No No Yes Offers use license expiration No No No No Yes Offers content expiration Yes No Yes Yes Yes Encrypts protected content Yes Yes Yes Yes Yes Prevents unauthorized access No Yes No No Yes Differentiates permissions by consumer No No No No No Attests to the identity of the publisher EFS ACLs S/MIME encryption BDE IRM Feature
    41. 41. RMS at Microsoft Example of RMS Templates <ul><li>Corporate RMS templates available from the Permission menu of Outlook, Word, PowerPoint, and Excel </li></ul>Only Microsoft employees can access the message. Allows for View, Reply, Reply All, Save, Edit, and Forward Microsoft Confidential Only Microsoft full-time employees can access the message. Allows for View, Reply, and Reply All. Microsoft FTE Confidential Read Only Only Microsoft full-time employees can access the message. Allows for View, Reply, Reply All, Save, Edit, and Forward Microsoft FTE Confidential Only Microsoft employees can access the message. Allows for View, Reply, Reply All Microsoft Confidential Read Only Recipients can View, Reply, Save, Edit, and Forward but can not Reply All Do Not Reply All
    1. Gostou de algum slide específico?

      Recortar slides é uma maneira fácil de colecionar informações para acessar mais tarde.