Microsoft Platform Security Briefing


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Microsoft Platform Security Briefing

  1. 1.
  2. 2. You are in a workshop…<br />Not a training…<br />
  3. 3.
  4. 4. Who are we - Introductions<br />Ranjana JainIT Pro Evangelist – Platform SecurityMicrosoft IndiaMCSE, MCT, RHCE, CISSP, CIW Security Analyst<br />Srinivas LTechnology Specialist – Security Microsoft IndiaMCTS-Security, CCNA, CCNE, CNA<br />Gautam DuaSolution Specialist – Management and Security Microsoft IndiaMCSE, MCT<br />
  5. 5.
  6. 6. Evolving Threat Landscape<br />Local Area Networks<br />First PC virus<br />Boot sector viruses<br />Create notorietyor cause havoc<br />Slow propagation<br />16-bit DOS<br />Internet Era<br />Macro viruses<br />Script viruses<br />Create notorietyor cause havoc<br />Faster propagation<br />32-bit Windows<br />Hyper jacking<br />Peer to Peer<br />Social engineering<br />Application attacks<br />Financial motivation<br />Targeted attacks<br />64-bit Windows<br />Broadbandprevalent<br />Spyware, Spam<br />Phishing<br />Botnets<br />Rootkits<br />Financial motivation<br />Internet wide impact<br />32-bit Windows<br />1986–1995<br />1995–2000<br />2000–2005<br />2007<br />
  7. 7. National Interest<br />Personal Gain<br />Personal Fame<br />Curiosity<br />Largest segment by $ spent on defense<br />Spy<br />Largest area by $ lost<br />Fastest <br />growing <br />segment<br />Thief<br />Largest area by volume<br />Trespasser<br />Author<br />Vandal<br />Undergraduate<br />Script-Kiddy<br />Expert<br />Specialist<br />Evolving Threats<br />
  8. 8. Addressing Security Threats<br />Helps turn IT into a business asset not a cost center <br />Supports your day to day security processes <br />Is the Enabler to running your business successfully<br />Technology<br />Data privacy processes to manage data effectively<br />IT security processes to implement, manage, and govern security<br />Financial reporting processes that include security of the business<br />Process<br />Company understands the importance of security in the workplace<br />Individuals know their role with security governance and compliance<br />IT staff has the security skills and knowledge to support your business <br />People<br />
  9. 9. Microsoft’s Promises To You<br />Manage Complexity,<br />Achieve Agility<br />Amplifythe Impactof YourPeople<br />ProtectInformation,ControlAccess<br />Advance the Businesswith IT Solutions<br />
  10. 10. Delivering On The Promise:Infrastructure Optimization<br />*Source: Microsoft CSO Summit 2007 Registration Survey <br />
  11. 11. Core Infrastructure Optimization<br />More Efficient Cost Center<br />Cost Center <br />Strategic Asset<br />Business Enabler<br />Basic<br />No centralized enterprise directory<br />No automated patch management<br />Anti-malwarenot centrally managed<br />Message security for e-mail only<br />No secure coding practices in place<br />Standardized<br />Using enterprise directory for authentication<br />Automated patch management tools deployed<br />Anti-malwareis managed centrally<br />Unified message security in place<br />Rationalized<br />Integrated directory services, PKIin place<br />Formal patch management process<br />Defense in depth threat protection<br />Security extended to remote and mobile workforce<br />Dynamic<br />Full identity lifecycle management.ID Federation,Rights Mgt Services in use<br />Metrics driven update process<br />Client quarantine and access policy enforcement<br />&lt;$100/PC Cost<br />$1320/PC Cost<br />$580/PC Cost<br />$230/PC Cost<br />Source:GCR and IDC data analyzed by Microsoft, 2006<br />
  12. 12. Core Infrastructure Optimization Model: Security<br />Basic<br />Standardized<br />Rationalized<br />Dynamic<br />Technology<br />Self provisioning and quarantine capable systems ensure compliance and high availability <br />Automate identity and access management<br />Automatedsystem management <br />Multiple directories for authentication<br />Limited automated software distribution<br />Patch statusof desktopsis unknown<br />No unified directory for access mgmt<br />Self-assessing and continuous improvement<br />Easy, secure access to info from anywhereon Internet<br />SLAs are linkedto business objectives<br />Clearly defined and enforced images, security, best practices<br />CentralAdmin and configurationof security<br />Standard desktop images defined,not adopted by all<br />IT processes undefined<br />Complexity dueto localized processesand minimal central control<br />Process<br />Improve IT Maturity while Gaining ROI<br />IT is astrategic asset<br />Users look to ITas a valued partner to enable new business initiatives<br />IT Staff manages an efficient,controlled environment<br />Users have the right tools,availability, and access to info<br />IT Staff trained in best practices such as MOF,ITIL, etc.<br />Users expect basic services from IT<br />IT staff taxed by operational challenges<br />Users come up with their ownIT solutions<br />People<br />
  13. 13.
  14. 14. Secure<br />You get to pick any two!<br />Usable<br />Cheap<br />
  15. 15. Trustworthy Computing<br />
  16. 16. Security Development Lifecycle<br />Design<br />Threat Modeling<br />Standards, best practices, and tools<br />Security Push<br />Final Security Review <br />RTM and Deployment<br />Signoff<br />Security Response<br />Product Inception<br />
  17. 17. Comprehensive Security Portfolio<br />Services<br />Edge<br />Encrypting File System (EFS)<br />Server Applications<br />BitLocker™<br />Information Protection<br />Network Access Protection (NAP)<br />Client and Server OS<br />IdentityManagement<br />Windows<br />CardSpace<br />SystemsManagement<br />Active Directory Federation Services (ADFS)<br />Guidance<br />Developer Tools<br />
  18. 18.
  19. 19. Priority #1 - Platform Security<br />Security Development Lifecycle<br />Security Response Center<br />Better Updates And Tools<br />
  20. 20. Security Development Lifecycle (SDL)<br />Kernel Patch Protection<br />Kernel-mode Driver Signing<br />Secure Startup<br />Windows Service Hardening<br />Secure <br />Platform<br />Rights Management Services (RMS) <br />SharePoint, Exchange, Windows Mobile integration<br />Encrypting File System (EFS)<br />Bitlocker<br />Secure <br />Access<br />User Account Control<br />Network Access Protection (NAP)<br />IPv6<br />IPsec<br />Windows CardSpace<br />Native smart card support<br />GINA Re-architecture<br />Certificate Services<br />Credential roaming<br />Windows Defender<br />IE Protected Mode<br />Address Space Layout Randomization (ASLR)<br />Data Execution Prevention (DEP) <br />Bi-directional Firewall<br />Windows Security Center<br />Data <br />Protection<br />Malware<br />Protection<br />
  21. 21. Security Development Lifecycle (SDL)<br />Windows Server Virtualization (Hypervisor)<br />Role Management Tool<br />OS File Integrity<br />Secure <br />Platform<br />Network <br />Protection<br />Network Access Protection (NAP)<br />Server and Domain Isolation with IPsec<br />End-to-end Network Authentication<br />Windows Firewall With Advanced Security <br />On By Default<br />Identity<br />Access<br />Rights Management Services (RMS) <br />Full volume encryption (Bitlocker)<br />USB Device-connection rules with Group Policy<br />Improved Auditing<br />Windows Server Backup<br />Data <br />Protection<br />Read-only Domain Controller (RODC)<br />Active Directory Federation Srvcs. (ADFS)<br />Administrative Role Separation<br />PKI Management Console<br />Online CertificateStatus Protocol<br />
  22. 22. Physical and Infrastructure Security<br />Windows Firewall with Advanced Security<br />Network Access Protection<br />IPSec<br />Supports both inbound and outbound filtering<br />Set filtering policies by port, traffic type, or application<br />Built-in support for IPv6, IPSec, and NAP policies<br />Windows Vista has built-in support for NAP<br />NAP Policies support conditional exclusions so unhealthy clients can connect to update servers to become compliant with established policies<br />Windows Vista has built-in support for IPSec<br />Windows Vista IPSec policies support NAP/NAC and Domain Isolation<br />IPSec policies support conditional exclusions<br />
  23. 23. Identity and Access Control<br />Windows Security Center<br />Authentication Methods<br />Windows CardSpace<br />Shows status of security software and settings<br />Monitor multiple vendors’ security solutions running on a computer and indicate which are enabled and up-to-date <br />New deployment and management tools like PIN reset tools<br />Common API model to help make it easier for smart card developers to make new tools<br />Improved support for biometrics and tokens<br />Manages Internet identities and allows for user control of personally identifiable information<br />Allows users to view what personal information will be shared and how it will be used<br />
  24. 24. Identity and Access Control<br />Malware Protection<br />Windows Defender<br />Internet Explorer 7<br />Malicious Software Removal Tool<br />Protects against damage caused by malware installations<br />IE processes are ‘sandboxed’ to protect against infection<br />Designed for security and compatibility<br />Leverages UAC and improved caching technology integration for better performance<br />Integration with IE7 allows downloaded files to be scanned prior to saving or execution<br />Scans computers for infections by specific types of prevalent malware families<br />Updated versions are released each month or as needed when new threats are discovered<br />
  25. 25. Information Protection<br />BitLocker Drive Encryption<br />Data Storage Group Policies<br />Encrypting File System<br />Data encryption for volumes and hard drives<br />Uses AES encryption and integration with Trusted Platform Module (TPM 1.2) to secure data<br />Enforce data storage policies by controlling where users can store data<br />Prevent data loss and theft by limiting what media can be used to store sensitive information<br />User-based data encryption for files and folders<br />EFS keys can be stored on roaming profiles or on smart cards<br />
  26. 26. New Windows Firewall<br />Inbound and Outbound Filtering<br />New Management MMC<br />Integrated Firewall and IPsec Policies<br />Rule Configuration on Active Directory Groups and Users<br />Support for IPv4 and IPv6<br />Advanced Rule Options<br />On by Default (Beta 3)<br />
  27. 27. Windows Service HardeningDefense In Depth – Factoring/Profiling<br />D<br />D<br />D<br />D<br />D<br />D<br />D<br />D<br />Reduce size of high risk layers<br />Segment the services<br />Increases number of layers<br />Service <br />1<br />Service <br />…<br />Service <br />2<br />Service…<br />Service <br /> A<br />Service <br />3<br />Service <br /> B<br />Kernel Drivers<br />User-mode Drivers<br />
  28. 28. Network Access Protection<br />Corporate LAN<br />NAP Network<br />Microsoft NetworkPolicy Server<br />1<br />2<br />5<br />Not PolicyCompliant<br />PolicyCompliant<br />DHCP, VPNSwitch/Router<br />3<br />WindowsClient<br />Policy Server(Patch, AV)<br />1<br />Client requests access to network and presents current health state<br />DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS)<br />2<br />PatchServer<br />4<br />3<br />Network Policy Server (NPS) validates against IT-defined health policy<br />RestrictedNetwork<br />If not policy compliant, client is put in a restricted VLAN and given access to download patches, configurations, signatures (Repeat 1 - 4)<br />4<br />5<br />If policy compliant, client is granted full access to corporate network<br />
  29. 29. Benefits<br />Features<br />Windows Server Core<br />Limits the server roles used. <br />Installs only a subset of the binaries. <br />Only required features are installed<br />Command line interface, no GUI shell<br />Takes about 1 GB for installation<br />Reduced Software Maintenance<br />Reduced Attack Surface<br />Reduced Management<br />Less Disk Space Required<br />
  30. 30. Windows Server Core Architecture<br />Features<br />WINS<br />SNMP<br />BitLocker Drive Encryption<br />Telnet Client<br />Failover Clustering<br />Removable Storage Management<br />Backup<br />Roles<br />FileServer<br />Active Directory<br />AD Lightweight Directory Service<br />PrintServer<br />MediaServices<br />Windows Virtualization Server<br />DNS<br />DHCP<br />Server Core<br />Thin Management Tools (Local and Remote)<br />Configure IP Address, Join a Domain, Create Users, etc.<br />Core Subsystems<br />Security (Logon Scenarios) Networking (TCP/IP) , File Systems, RPC, Winlogon, Necessary Dependencies.<br />Infrastructure Features<br />Command Shell, Domain Join, Event Log, Perform. Counter Infra., WS-Mgmt, WMI Infra, Licensing Service, WFP, HTTP Support, IPsec<br />Resolved Category Dependencies – HAL, Kernel, VGA, Logon, etc.<br />Hardware Support Components – Disk, Network Adapter, etc.<br />
  31. 31. Microsoft Security … <br />
  32. 32. Edge, server and client protection<br />“Point to Point” Solutions<br />Security of data at rest and in transit<br />Mobile workforce<br />Manageability<br />Corporate<br />Client Protection<br />Server Protection <br />Consumer/ Small Business<br />Simple PC maintenance<br />Anti-Virus <br />Anti-Spyware<br />Anti-Phishing<br />Firewall<br />Performance Tuning<br />Backup and Restore<br />Edge Protection <br />Protection<br />
  33. 33. Unified malware protection for business desktops, laptops, and server operating systems that is easy to manage and control <br />One spyware and virus protection solution<br />Built on protection technology based <br />Effective threat response<br />UnifiedProtection<br />One simplified security administration console<br />Define one policy to manage client protectionagent settings <br />Integrates with your existing infrastructure<br />SimplifiedAdminis-tration<br />One dashboard for visibility into threatsand vulnerabilities<br />View insightful reports<br />Stay informed with state assessment scansand security alerts<br />VisibilityandControl<br />
  34. 34. Server and Domain Isolation (SD&I)<br />Combined Solution<br />Forefront™ Client Security<br />Windows Vista™<br />User Account Control<br />IE7 with Protected Mode<br />Randomize Address Space Layout<br />Advanced Desktop Firewall<br />Kernel Patch Protection (64bit)<br />Policy Based Network Segmentation<br />Restrict-To-Trusted Net Communications<br />Infrastructure Software Integration<br />Unified Virus & Spyware Protection<br />Central Management<br />Reporting, Alerting and State Assessment<br />
  35. 35. Microsoft<br />Update<br />Reporting and<br />Alerting Server<br />(OR ALTERNATE SYSTEM)<br />(OR ALTERNATE SYSTEM)<br />Desktops, Laptops and Server Operating Systems<br />Running Microsoft Forefront Client Security<br />REPORTS<br />SETTINGS<br />Management<br />Server<br />DEFINITIONS<br />EVENTS<br />Operations Architecture<br />
  36. 36. Forefront Client Security<br />demo<br />
  37. 37. Tea/Coffee Break<br />
  38. 38. Security<br />ApplicationLayer<br />
  39. 39. Anti-Virus For Application Servers<br />Gartner Magic Quadrant: <br />E-Mail Security Boundary -Leader-<br />Distributed protection<br />Performance tuning<br />Content filtering<br />Central management<br />Exchange Server/ Windows-based SMTP Server<br />Internet<br />A<br />B<br />C<br />D<br />E<br />
  40. 40. Optimized access for employees, partners, andcustomers from virtually any device or location<br />SecureRemoteAccess<br />Enhanced connectivity and securityfor remote sites and applications<br />BranchOfficeSecurity<br />Increased resiliency for IT infrastructurefrom Internet-based threats<br />InternetAccessProtection<br />
  41. 41. Microsoft IAG For Secure Access<br />Customizable Enterprise Security<br /> SSL VPN access to internal applications<br /> Microsoft, third-party, and custom apps supported<br /> Granular access control rules<br /> Support for multiple authentication mechanisms<br />
  42. 42. Intelligent Application Gateway<br />demo<br />
  43. 43. Lunch Break<br />
  44. 44. Security and Management<br />Systems ManagementSuite Enterprise<br />
  45. 45.<br />
  46. 46. Join Us…<br /><br />Mail me:<br />IT Pro Momentum Program <br />Technet Plus Subscription<br />Quaterly VTD:<br />
  47. 47. આભાર<br />ধন্যবাদ<br />நன்றி<br />धन्यवाद<br />ధన్యవాదాలు<br />ಧನ್ಯವಾದಗಳು<br />ଧନ୍ୟବାଦ<br />നിങ്ങള്‍‌ക്ക് നന്ദി<br />ਧੰਨਵਾਦ<br />
  48. 48. © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.<br />The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.<br />