SEC301
Upcoming SlideShare
Loading in...5
×
 

SEC301

on

  • 1,064 views

 

Statistics

Views

Total Views
1,064
Views on SlideShare
1,064
Embed Views
0

Actions

Likes
0
Downloads
7
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • TechEd 2006 - Securing your Data with Microsoft Technologies EFS, RMS, Full Volume Encryption, SQL 2005 - lots of encryption for overlapping sets of data. Which do you use, when and why? This talk will help you understand the common security basis for all these technologies, and then discuss the different threats for which each is and isn't suitable. Next we'll examine the best configuration settings to get the maximum security benefit for your organization, and finally look at current security attack scenarios and which security technologies will actually help protect your data against such attacks.
  • Plus all the supporting technologies: CSPs, password hashing (LM, NTLM), cached password verifiers, SYSKEY, DPAPI, managed DPAPI classes…
  • Statistics on where the most data is stored in the least-well-protected systems Clients (notebooks, desktops) Servers (branch office, data center) removable storage (flash, USB, DVD-RW) Mobile devices (phone, PDA, UMPC) Managing risk = focus attention on greatest exposures first – don’t try to solve problem all at once Server roles: F&P, email, docman/collab, RDBMS, SAN, HSM
  • Documents - it may sound simple but in reality, many orgs have different standard locations for users’ docs -root folder, redirect to server , Separate partition, -plus all the app-specific data locations (e.g. desktop search, MSDE/Access)
  • These are the most common
  • Hey Mike, are you dreaming? We aren’t running Vista in our organizations. “ Better passwords” = longer passphrases – then ditch the complexity Per-PC smartcard logon – XPSP2 Group Policy aka “Interactive logon: require smart card” If you believe every person that finds a lost laptop from your org is an uber-hacker just waiting to find some secrets company documents, well… then maybe you work for Microsoft.  Hiberfile – encrypted in XPSP2
  • Bonus: encryption on physical media reduces the risk of accidentally left-behind CDs, USB drives, etc. allowing malicious people to find sensitive data on devices that become separated from the computer.
  • Best-fit solutions are also known as “point solutions” or “as good as you can get for now”.
  • Sample IRM UI if needed or if demo’s not possible
  • Sample IRM UI if needed or if demo’s not possible

SEC301 SEC301 Presentation Transcript

  • Securing Your Data with Microsoft Technologies Mike Smith-Lonergan Sr. Technical Program Manager Microsoft Corporation [email_address]
  • What you can expect Today
    • Our current thinking on Scenarios & Solutions
    • What technologies to use where and why
    • 60 minutes for discussion & quick demo
    • 15 minutes for questions at the end
  • Why Am I Talking To You About This?
    • “When should I use X?”
      • EFS, RMS, S/MIME, BDE, XPS, CAPI, CAPICOM, CAPI-NG, WS-Sec, Smart Cards…
    • “What is the right encryption to use?”
    • “Give me a strategic direction”
  • Where is your Data Stored?
    • Q: Where is your biggest security exposure?
    • Trick question!
    SQL
  • Clients
    • Documents
      • Where do your users keep their documents?
    • User Profile
      • Outlook, Sharepoint, Desktop, Temp
    • per-machine data
      • Search index, file cache
  • Servers
    • File Shares
    • Collaboration store (e.g. Sharepoint)
    • RDBMS (e.g. SQL)
    • Mail (e.g. Exchange)
    • SAN
    • HSM
    • Enterprise backup
    • Where ISN’T Data stored?
    SQL
  • Big Picture…
  • What Technologies Can Be Used?
    • ACLs
    • Rights Management (eek!)
    • Role-based Access
    • System encryption
    • Application encryption
  • ACLs
    • Classic approach
    • Configuring:
      • Windows Explorer, cacls.exe
      • Group Policy/Secedit
      • NEW! .NET Framework 2.0 (SDDL)
    • Good: protect against online/remote attackers
    • Bad: protecting against local Admins
    • Ugly: protecting against offline attacks
  • ACLs example: File server
    • Uses AD, Group Policy, Windows client
    • Goal: users cannot see each others’ files
    • Server shares folder erverHome
      • Share permissions = Users: Change
    • Folder root permissions allow:
      • Users: Traverse folder, List folder, Create folders, Read (This folder only)
      • Creator/owner: Change (Subfolders and files only)
    • Result:
      • User creates new folder
      • Can do anything they want with that folder
      • No other user can see inside that folder
  • Rights Management
    • The “ACL” goes wherever the document goes
    • Combines encryption with policy enforcement
    • Good: protecting against offline, online attacks
    • Bad: protecting against Super Users
    • Ugly: protecting against Active Directory admins
  • Roles-based access (RBAC)
    • Idealized approach
    • Must combine with other tech
      • ACLs
      • Encryption
      • Rights Management
      • App-specific authorization (e.g. SQL, Exchange)
    • Issues:
      • Every Windows app has a different approach
      • Still no better against offline attacks
    AD
  • RBAC scenario: rights management
    • Leverage Active Directory, RMS, Office
    • Assign users to groups (roles) in AD
    • RMS Templates assign rights to groups
    • Use RMS-enabled app (e.g. Office) to assign rights via templates
    • RMS server and client grant limited access to documents
  • Corporate Intranet
    • Assume author is already bootstrapped with a RAC and CLC
    • Author creates mail
    • Author protects mail using RAC and CLC
    • Author sends mail to recipient
    • Recipient contacts AD for service discovery
    • Recipient gets bootstrapped from RMS
    • Recipient gets use license from RMS
    • Recipient can access content
    Intranet / VPN scenario Publishing and consumption Internet 2 RAC CLC 1 RAC CLC 6 8 UL 7 4 5 RMS SCP: http://... PL 3 RMS AD
  • System encryption
    • Encrypt each file = Encrypting File System (EFS)
    • Encrypt each sector = BitLocker Drive Encryption (BDE)
    • Good: protect against offline attack
    • Bad: doesn’t protect against user error
    • Ugly: doesn’t protect between systems
  • (BitLocker Data Encryption) (Encrypting File System) (Rights Management Services) BDE, EFS & RMS
  • Application Encryption
    • Leverage each app’s data protection approach
    • “ Every” app has its own approach, e.g. Outlook S/MIME, SQL Server, Office, Winzip
    • Good: there’s encryption
    • Bad: hard to manage
    • Ugly: brutal to manage across the enterprise
    SQL
  • App example: SQL 2005
    • SQL 2005 uses DPAPI
      • Comparable to EFS
    • Multiple layers of keys
      • Partition access
    • Encrypt instances, databases, tables with separate keys
    • Leverage HSM @ server level
    • Advantages: keys managed with data, max perf, uses system libraries
    • Disadvantages: Server & DB Ops can get keys
    SQL
  • Scenarios
    • Loss or Theft of PC
      • aka “notebook in taxi”
    • Reduced data leaks
      • aka “whoopsie”
    • Server-side encryption
      • aka “untrustworthy Admins”
    • End-to-end encryption
      • aka “regulatory compliance”
  • (1) Loss or Theft of PC
    • Threat: Attackers with infinite time, many tools, well-documented attack techniques
    • Goal: mitigate the risk of Data exposure
      • Reduce the risk, NOT eliminate
    • Good
      • Application Encryption
    • Better
      • Minimize the stored data
      • System Encryption
    • Don't bother with ACLs, RBAC, DRM
  • (1) Loss or Theft of PC
    • EFS
      • Mitigates offline attacks except against user account
      • Prevents online attacks (on encrypted files)
      • Threats focus on user’s password
    • BitLocker with TPM or USB (Vista)
      • Prevents offline attacks (replace passwords, copy hashes, change system files)
      • Threats focus on user logons
    • Ideal: BitLocker with TPM + EFS with Smart Card (Vista)
      • Attacker with notebook + Smart Card needs PIN (not password)
      • After “x” bad tries, Smart Card locked FOREVER
  • (1) Loss or Theft of PC
    • Reality check: Windows XP today
    • Attack focus: user passwords, cleartext data
    • Tactics:
      • Better passwords/phrases
      • Encrypt significant sets of data
        • EFS for Documents, email, desktop, TIF, server caches
      • Smartcard logon per-PC
    • Residual risk: pagefile fragments, hiberfile, cached logon verifiers
  • (2) Reduced data leaks
    • Threat: Authorized users with legit access giving data to others
    • Goal: mitigate the risk of spread of data
      • Reduce, NOT eliminate
    • Good
      • ACLs, Role-based Access
    • Better
      • DRM, Application encryption
    • Don't bother with System encryption
  • (2) Reduced data leaks
    • ACL shared files on servers with RBAC groups
      • Prevents users from granting each other permissions
    • Leverage a rights management technology
      • Reduces the amount of unprotected files
    • Ideal: RM automatically assigned (RMS partners)
      • Enforces RM protection according to pre-defined business rules
    • Bonus: encryption on physical media
    • Bonus: removable media policy (Vista)
  • (2) Reduced data leaks
    • Reality check: user-initiated RMS is unreliable
    • Risk focus: leaks to outsiders
    • Tactics:
      • “ do not forward” emails from execs, legal, R&D
      • RMS automation on servers (future)
      • Converting AD roles to security-enabled Distribution Groups
      • Experiment with WinFX, Print-to-XPS
  • (3) Server-Side Encryption
    • Threat: some Admins have or grant themselves access with no oversight or detection
    • Goal: mitigate the risk of widespread leaks
      • Reduce, NOT eliminate
    • Good
      • Role-based Access
    • Better
      • System encryption, Application encryption, ERM
    • Don't Bother with ACLs
  • (3) Server-Side Encryption
    • Roles-based access on all servers (and clients)
      • Prevents Admins from unaudited access to data
    • EFS, BitLocker, RMS with central keys managed elsewhere
      • Reduces opportunity for quick access to protected data
      • Threats switch to impersonating users
    • Bonus: audit for Object Access (Take Ownership, Change Permissions), Policy Change, System Events
    • Bonus: role-separated audit collection
  • (4) End-to-end encryption
    • Challenges
    • Approaches
    • Futures
  • (4) End to End: Challenges
    • Lack of product integration
    • Key management
      • Keep keys close to data (performance, portability)?
      • Keep keys far from data (security, administration)?
    • Cross-platform issues
    • Managing transitions between systems, applications and organizations
  • (4) End to End: Approaches
    • Standard algorithms
    • Third-party products
    • Best-fit solutions
    • Mitigate greatest exposures first
  • (4) End to End: Futures
    • “ information protection platform”
      • Possibly integrate EFS, RMS, NGSCB
    • WS-Sec (and other standards)
    • .NET Framework 3.0 (WinFX)
    • IPv6
  • Beyond Microsoft technologies
    • Pervasive hardware-integrated crypto
    • ISV encryption
    • ISV rights management
    • Smart cards
    • other multi-factor access control
  • Calls to Action
    • Fill out the Survey – Please!
    • Give me specific feedback:
      • Guidance you need for Protecting Data with Microsoft technologies
      • What bugs you about the current product “stack”
    • Send me email: [email_address]
    • When you get home…
    • IT: Plan your AD schema upgrade!
    • Dev: Download WinFX
  • Want More of Us?
    • Breakout Session: Regulatory Compliance
      • SEC211 with Bill Canning
      • WED 8:30am
    • CIS or Security Booth in TLC “Red”
    • TechEd Connect
    • AND…
    • Focus Group: Data Protection (drop me a business card)
  • Resources User Groups http://www.microsoft.com/communities/ usergroups/default.mspx Technical Community Sites http://www.microsoft.com/communities/ default.mspx Newsgroups http://communities2.microsoft.com/ communities/newsgroups/en-us/ default.aspx Virtual Labs http://www.microsoft.com/technet/ traincert/virtuallab/rms.mspx MSDN & TechNet http://microsoft.com/msdn http://microsoft.com/technet Microsoft Learning and Certification http://www.microsoft.com/learning/ default.mspx Technical Chats and Webcasts http://www.microsoft.com/communities/chats/ default.mspx http://www.microsoft.com/usa/ webcasts/default.asp
  • Fill out a session evaluation on CommNet and Win an XBOX 360!
  • © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
  • Add users with Read and Change permissions Verify aliases & DLs via AD Add advanced permissions
  • Set expiration date Enable print, copy permissions Add/remove additional users Contact for permission requests Enable viewing via RMA
  • Safeguarding Confidential Data Comparison of Technologies Used to Safeguard Confidential Data Yes ** No Yes No Yes Extends protection beyond initial publication location No Yes * No No Yes Controls content access to reading, forwarding, saving, modifying, or printing by consumer No No No No Yes Offers use license expiration No No No No Yes Offers content expiration Yes No Yes Yes Yes Encrypts protected content Yes Yes Yes Yes Yes Prevents unauthorized access No Yes No No Yes Differentiates permissions by consumer No No No No No Attests to the identity of the publisher EFS ACLs S/MIME encryption BDE IRM Feature
  • RMS at Microsoft Example of RMS Templates
    • Corporate RMS templates available from the Permission menu of Outlook, Word, PowerPoint, and Excel
    Only Microsoft employees can access the message. Allows for View, Reply, Reply All, Save, Edit, and Forward Microsoft Confidential Only Microsoft full-time employees can access the message. Allows for View, Reply, and Reply All. Microsoft FTE Confidential Read Only Only Microsoft full-time employees can access the message. Allows for View, Reply, Reply All, Save, Edit, and Forward Microsoft FTE Confidential Only Microsoft employees can access the message. Allows for View, Reply, Reply All Microsoft Confidential Read Only Recipients can View, Reply, Save, Edit, and Forward but can not Reply All Do Not Reply All