Windows 2008 R2 Security<br />Amit Gatenyo<br />Infrastructure & Security Manager, Dario<br />Microsoft Regional Director ...
Agenda<br />Service Hardening<br />Firewall<br />BitLocker<br />DirectAccess<br />RMS<br />RODC<br />PKI<br />RDS Gateway<...
Service Hardening<br />Windows 7/Server 2008 R2<br />Windows® XP SP2/Server 2003 R2<br />LocalSystem<br />Firewall Restric...
Service Hardening Summary<br />
Windows Firewall w/ Advanced Security<br />Firewall rules become more intelligent<br />Policy-based networking<br />Combin...
Windows Firewall Summary<br />
BitLocker Drive Encryption <br />Full Volume Encryption Key (FVEK)<br />Encryption Policy <br />Group  Policy allows centr...
BitLocker Encryption Types<br />
DirectAccess<br />Remote access is now ubiquitous<br />Comprehensive anywhere access for Windows 7 and Windows Server 2008...
DirectAccess<br />IPv4 Devices<br />IPv6 Devices<br />Support IPv4 via 6to4 transition services or NAT-PT<br />IT desktop ...
AD Rights Management Services<br />AD RMS protects access to an organization’s digital files<br />Improved installation an...
Protected emails<br />
Apply Permissions to New Email<br />
Add userswith Readand Changepermissions<br />Verify aliases& DLs via AD<br />Add advanced permissions<br />
Add/removeadditional users<br />Set expiration date<br />Enableprint, copypermissions<br />Contact forpermissionrequests<b...
Read-Only Domain Controller<br />RODC<br />Main Office<br />Branch Office<br />Features<br />Read Only Active Directory Da...
PKI Enhancements<br />Online Certificate Status Protocol (OSCP)<br />Enterprise PKI (PKIView)<br />Web Enrollment<br />Net...
Cryptography Next Generation<br />Cryptography Next Generation (CNG) <br />Includes algorithms for encryption, digital sig...
CNG vs CAPI<br />
Terminal Services Gateway<br />Perimeter Network<br />Corporate Network<br />Internet<br />Strips off RDP / HTTPs<br />RDP...
Remediation<br />Servers<br />Example: Patch<br />Restricted<br />Network<br />Corporate Network<br />Network Access Prote...
NAP Enforcement Methods<br />Internet Protocol security (IPsec)-protected communications<br />IEEE 802.1X-authenticated ne...
Recycle Bin for ADCustomer can undo an accidental deletion in Active Directory<br />Past limitations<br />Accidental objec...
Recycle Bin for AD Object Life-cycle<br />180 Days<br />Tombstone Object<br />Garbage collection<br />Live Object<br />Win...
Managed Service AccountsSimple management of service accounts<br />Past limitations<br />Management of individual accounts...
Thank You!<br />Amit Gatenyo<br />Infrastructure & Security Manager, Dario<br />Microsoft Regional Director - Windows Serv...
Upcoming SlideShare
Loading in …5
×

Windows 2008 R2 Security

2,545 views

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,545
On SlideShare
0
From Embeds
0
Number of Embeds
24
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • In Windows 7 we are fixing that. A new approach to networking so the user has the same experience in the office that they have outside the office. Anytime you have Wi-Fi, you have corpnet access too. Great IT benefits: while you are connected, IT can apply group policy, updates, and remote assistance. The connectivity goes both ways.One of the goals of Windows 7 is to enable users to access the information that they need whether they are in or out of the office. In the past few years, Microsoft has made getting to email from outside the office easier.  First, we had Outlook Web Access, so we could access email through the web. Then we introduced RPC over HTTP, which just requires an Internet connection to connect to the Exchange server.But users still have a challenge when accessing resources that are inside the corporate network. For example users cannot open the links to an internal Web site or share included in an email. The most common method to access these resources is VPN. VPN can be hard to use for users because it takes time and multiple steps to initiate the VPN connection and wait for the PC to be authenticated from the network. Hence, most remote users try to avoid VPN’ing as much as possible and stay disconnected from corporate network for as long as they can. At this point we run into a chicken-egg problem: Since remote users are disconnected, IT cannot manage them while away from work – remote users stay more out of date and it gets harder and harder to access corporate resources… With the capabilities Windows 7 enables, users who have internet access will be automatically connected to their corporate network. A user who is sitting on a coffee shop can open his laptop, connect to the internet using the wireless access of the coffee shop and start working as if he is in the office. The user in this case will be able to not only use outlook, but also work with intranet sites, open corporate shares, use LOB applications, and basically have full access to corporate resources. This solution is also very appealing to IT Professionals:Managing mobile PCs has always been an issue since they could be disconnected from the corporate network for a long time. With this work access solution, as long as they have internet connectivity, users will be on corporate network. Servicing mobile users (such as distributing updates and Group Policy) is easier since they can be accessed more frequently by IT systems.Deploying Windows 7 will not automatically enable this type of work access connection. You will have the choice to enable it or not and it will require some changes to your backend network infrastructure, including having at least one server running Windows Server 2008 R2 at the edge of your network. The solution takes advantage of Microsoft’s investments in IPSEC and IPv6 to provide secure connectivity even when not on the physical corporate network. This feature requires Windows 7 Enterprise on the client PC.
  • Windows 2008 R2 Security

    1. 1. Windows 2008 R2 Security<br />Amit Gatenyo<br />Infrastructure & Security Manager, Dario<br />Microsoft Regional Director - Windows Server & Security<br />amit.g@dario.co.il<br />054-2492499<br />
    2. 2. Agenda<br />Service Hardening<br />Firewall<br />BitLocker<br />DirectAccess<br />RMS<br />RODC<br />PKI<br />RDS Gateway<br />NAP<br />AD Recycle Bin<br />Managed Service Accounts<br />
    3. 3. Service Hardening<br />Windows 7/Server 2008 R2<br />Windows® XP SP2/Server 2003 R2<br />LocalSystem<br />Firewall Restricted<br />LocalSystem<br />LocalSystem<br />Network Service<br />Network Service<br />Fully Restricted<br />Local Service<br />Network Service<br />Network Restricted<br />Local Service<br />No Network Access<br />Local Service<br />Fully Restricted<br />
    4. 4. Service Hardening Summary<br />
    5. 5. Windows Firewall w/ Advanced Security<br />Firewall rules become more intelligent<br />Policy-based networking<br />Combined firewall and IPsec management<br />
    6. 6. Windows Firewall Summary<br />
    7. 7. BitLocker Drive Encryption <br />Full Volume Encryption Key (FVEK)<br />Encryption Policy <br />Group Policy allows central encryption policy and provides Branch Office protection<br />Provides data protection, even when the system is in unauthorized hands or is running a different or exploiting Operating System<br />Uses a v1.2 TPM or USB flash drive for key storage<br />
    8. 8. BitLocker Encryption Types<br />
    9. 9. DirectAccess<br />Remote access is now ubiquitous<br />Comprehensive anywhere access for Windows 7 and Windows Server 2008 R2<br />Seamless, always-on, secure connectivity; no separate client software required<br />Utilizes networking technologies already in Windows Server 2008 <br />No separate action required to connect to corpnet while remote. Corpnet is simply there.<br />Leverages policy-based network access<br />Enables desktop management regardless of client location. <br />
    10. 10. DirectAccess<br />IPv4 Devices<br />IPv6 Devices<br />Support IPv4 via 6to4 transition services or NAT-PT<br />IT desktop management<br />DirectAccess provides transparent, secured access to intranet resources without a VPN<br />Native IPv6 with IPSec<br />Allows desktop management of DirectAccess clients<br />AD Group Policy, NAP, software updates<br />IPv6 Transition Services<br />Supports direct connectivity to IPv6-based intranet resources<br />DirectAccess<br />Server<br />Internet<br />Supports variety of remote network protocols<br />Allows IPSec encryption and authentication<br />Windows 7 Client<br />
    11. 11. AD Rights Management Services<br />AD RMS protects access to an organization’s digital files<br />Improved installation and administration experience<br />Self-enrollment of the AD RMS cluster<br />Integration with AD Federation Services<br />New AD RMS administrative roles<br />RMS Server<br />AD<br />SQL<br />Information Author<br />The Recipient<br />
    12. 12. Protected emails<br />
    13. 13. Apply Permissions to New Email<br />
    14. 14.
    15. 15.
    16. 16.
    17. 17. Add userswith Readand Changepermissions<br />Verify aliases& DLs via AD<br />Add advanced permissions<br />
    18. 18. Add/removeadditional users<br />Set expiration date<br />Enableprint, copypermissions<br />Contact forpermissionrequests<br />Enable viewing viaRMA<br />
    19. 19. Read-Only Domain Controller<br />RODC<br />Main Office<br />Branch Office<br />Features<br />Read Only Active Directory Database<br />Only allowed user passwords are stored on RODC<br />Unidirectional Replication<br />Role Separation<br />Benefits<br />Increases security for remote Domain Controllers where physical security cannot be guaranteed<br />
    20. 20. PKI Enhancements<br />Online Certificate Status Protocol (OSCP)<br />Enterprise PKI (PKIView)<br />Web Enrollment<br />Network Device Enrollment Service<br />
    21. 21. Cryptography Next Generation<br />Cryptography Next Generation (CNG) <br />Includes algorithms for encryption, digital signatures, key exchange, and hashing<br />Supports cryptography in kernel mode<br />Supports the current set of CryptoAPI 1.0 algorithms<br />Support for elliptic curve cryptography (ECC) algorithms<br />Perform basic cryptographic operations, such as creating hashes and encrypting and decrypting data<br />
    22. 22. CNG vs CAPI<br />
    23. 23. Terminal Services Gateway<br />Perimeter Network<br />Corporate Network<br />Internet<br />Strips off RDP / HTTPs<br />RDP traffic passed to TS<br />Tunnels RDP over HTTPs<br />Internal Firewall<br />External Firewall<br />Terminal Servers and other RDP Hosts<br />Internet<br />Remote/ Mobile User<br />Terminal Services Gateway<br />Network Policy Server<br />Active Directory DC<br />
    24. 24. Remediation<br />Servers<br />Example: Patch<br />Restricted<br />Network<br />Corporate Network<br />Network Access Protection<br />Policy Servers<br />such as: Patch, AV<br />3<br />1<br />2<br />Not policy compliant<br />4<br />DHCP, VPN<br />Switch/Router <br />Windows<br />Client<br />NPS<br />Policy compliant<br />5<br />If not policy compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, configurations, signatures (Repeat 1 - 4)<br />DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS)<br />Network Policy Server (NPS) validates against IT-defined health policy<br />If policy compliant, client is granted full access to corporate network<br />Client requests access to network and presents current health state<br />2<br />3<br />4<br />5<br />1<br />
    25. 25. NAP Enforcement Methods<br />Internet Protocol security (IPsec)-protected communications<br />IEEE 802.1X-authenticated network connections<br />Remote access virtual private network (VPN) connections<br />Dynamic Host Configuration Protocol (DHCP) configuration<br />
    26. 26. Recycle Bin for ADCustomer can undo an accidental deletion in Active Directory<br />Past limitations<br />Accidental object deletion causes business downtime – deleted users cannot logon or access corporate resources<br />Accidental deletions are the number #1 cause of AD DisasterRecovery scenarios<br />Feature takeaway<br />Recycle bin for AD DS and AD LDS objects<br />Feature enabled with a new forest functional level<br />Requires all DCs in the forest to be Windows Server 2008 R2 DCs<br />For AD LDS, all replicas must be running in a new ‘application mode’<br />
    27. 27. Recycle Bin for AD Object Life-cycle<br />180 Days<br />Tombstone Object<br />Garbage collection<br />Live Object<br />Windows Server 2008<br />Returns Tombstones<br />LDAP OID 1.2.840.113556.1.4.417<br />Windows Server 2008 R2 with Recycle Bin enabled<br />(If not enabled, behavior is similar to Windows Server 2008)<br />LDAP OID 1.2.840.113556.1.4.2064 <br />Returns Deleted<br />Returns Deleted and Recycled<br />Garbage collection<br />Live Object<br />Deleted Object<br />Recycled Object<br />180 Days<br />180 Days<br />
    28. 28. Managed Service AccountsSimple management of service accounts<br />Past limitations<br />Management of individual accounts for services is cumbersome<br />Periodic maintenance often causes outages <br />Example: resetting service account password<br />Feature takeaway<br />A manageable solution that addresses isolation needs for services <br />Better SPN management in Win7 Domain Functional Mode <br />Lower TCO from reduced service outages (for manual password resets and related issues)<br />One Managed Service Account per Service per box<br />No human intervention for password management!<br />
    29. 29. Thank You!<br />Amit Gatenyo<br />Infrastructure & Security Manager, Dario<br />Microsoft Regional Director - Windows Server & Security<br />amit.g@dario.co.il<br />054-2492499<br />

    ×