Windows 2008 Security

1,484 views

Published on

Published in: Technology, News & Politics
  • Be the first to comment

Windows 2008 Security

  1. 1. Amit Gatenyo Infrastructure & Security Manager Dario IT Solutions ltd 054-2492499 amit.g@dario.co.il Security
  2. 2. Security SecurityWeb Virtualization Reduces costs, increases hardware utilization, optimizes your infrastructure, and improves server availability Delivers rich web-based experiences efficiently and effectively Provides unprecedented levels of protection for your network, your data, and your business
  3. 3. Development Process Secure Startup and shield up at install Code integrity Windows service hardening Inbound and outbound firewall Restart Manager Improved auditing Network Access Protection Event Forwarding Policy Based Networking Server and Domain Isolation Removable Device Installation Control Active Directory Rights Management Services Security Compliance Security
  4. 4. D DD Defense In Depth Reduce size of high risk layers Segment the services Increase # of layers Kernel DriversD D User-mode Drivers D D D Service 1 Service 2 Service 3 Service … Service … Service A Service B
  5. 5. Windows® XP SP2/Server 2003 R2 LocalSystem Windows Vista/Server 2008 Network Service Local Service LocalSystem Firewall Restricted Network Service Network Restricted Local Service No Network Access LocalSystem Network Service Fully Restricted Local Service Fully Restricted
  6. 6. ‫נושא‬Windows XP / Windows Server 2003 Windows Vista / Windows Server 2008 ‫ההפעלה‬ ‫מערכת‬ ‫תהליכי‬ ‫הפעלת‬ ‫מסביבת‬ ‫מופרדת‬ ‫בסביבה‬ ‫המשתמש‬ ‫אפשרית‬ ‫לא‬,‫אל‬ ‫לגשת‬ ‫ניתן‬ session 0‫המשתמש‬ ‫מסביבת‬ ‫אפשרית‬,session 0‫מופרד‬ ‫המשתמש‬ ‫מסביבת‬ ‫אובייקטים‬ ‫על‬ ‫הרשאות‬ ‫מתן‬‫ה‬ ‫ברמת‬ ‫אפשרי‬–service account‫ה‬ ‫ברמת‬ ‫אפשרי‬–SID‫עבור‬ services ‫ההפעלה‬ ‫מערכת‬ ‫תהליכי‬ ‫הפעלת‬‫על‬ ‫בעיקר‬ ‫מתבססת‬LocalSystem‫מאפשר‬ ‫אשר‬ ‫מנגנון‬ ‫על‬ ‫מתבססת‬ ‫מתוך‬ ‫חלקיות‬ ‫הרשאות‬ ‫ביזור‬ ‫ה‬ ‫הרשאות‬–LocalSystem/ LocalService/NetworkService ‫ב‬ ‫שימוש‬–write restricted token‫קיים‬ ‫לא‬‫אפשרי‬ ‫ה‬ ‫גישת‬ ‫הגבלת‬-services‫למשאבי‬ ‫הרשת‬ ‫חלקי‬ ‫באופן‬ ‫רק‬ ‫אפשרית‬(inbound) ,‫ה‬ ‫בהפעלת‬ ‫מותנית‬–windows firewall ‫ה‬ ‫מרבית‬–windows services ‫למשאבי‬ ‫לגישה‬ ‫ביחס‬ ‫מוקשחים‬ ‫תלות‬ ‫ללא‬ ‫אוטומטי‬ ‫באופן‬ ‫הרשת‬ ‫ה‬ ‫בהפעלת‬–windows firewall, ‫עבור‬app services‫להגדיר‬ ‫ניתן‬ ‫באמצעות‬ ‫הקשחה‬ ‫חוקי‬ ‫עבורם‬API
  7. 7. Combined firewall and IPsec managementFirewall rules become more intelligentPolicy-based networking
  8. 8. ‫נושא‬Windows XP / Windows Server 2003Windows Vista / Windows Server 2008 ‫נכנסת‬ ‫נתונים‬ ‫תעבורת‬ ‫לגבי‬ ‫מדיניות‬ ‫אכיפת‬ (inbound) ‫אפשרית‬‫אפשרית‬ ‫יוצאת‬ ‫נתונים‬ ‫תעבורת‬ ‫לגבי‬ ‫מדיניות‬ ‫אכיפת‬ (outbound) ‫אפשרית‬ ‫לא‬‫אפשרית‬ ‫העברת‬ ‫אבטחת‬ ‫תצורת‬ ‫לגבי‬ ‫מדיניות‬ ‫אכיפת‬ ‫נתונים‬ ‫ה‬ ‫ברמת‬ ‫נתמך‬ ‫לא‬–firewall,‫למימוש‬ ‫אפשרי‬ ‫ע‬"‫ה‬ ‫י‬–IP security policies(GPO) ‫באמצעות‬ ‫אפשרית‬IPSEC ‫בדומיין‬ ‫לחברות‬ ‫בהתאם‬ ‫מדיניות‬ ‫אכיפת‬‫אפשרית‬ ‫לא‬‫אפשרית‬ ‫משתמש‬ ‫לשם‬ ‫בהתאם‬ ‫מדיניות‬ ‫אכיפת‬/‫שם‬ ‫מחשב‬ ‫אפשרית‬ ‫לא‬‫אפשרית‬ ‫המחשב‬ ‫אליה‬ ‫לרשת‬ ‫בהתאם‬ ‫מדיניות‬ ‫אכיפת‬ ‫מחובר‬ ‫אפשרית‬ ‫לא‬‫אפשרית‬–‫קיימים‬3‫פרופילים‬ (public/private/domain) ‫ב‬ ‫תמיכה‬–windows service hardening‫קיימת‬ ‫לא‬‫קיימת‬ ‫באמצעות‬ ‫חוקים‬ ‫בהחלת‬ ‫תמיכה‬GPO‫מה‬ ‫שונה‬ ‫הממשק‬ ‫אבל‬ ‫אפשרית‬–windows firewall MMC ‫ל‬ ‫לחלוטין‬ ‫זהה‬ ‫באופן‬ ‫אפשרית‬–windows firewall advanced security MMC ‫עקיפה‬ ‫חוקי‬ ‫קביעת‬(bypass)‫תקשורת‬ ‫עבור‬ ‫נכנסת‬/‫ספציפיים‬ ‫ממחשבים‬ ‫יוצאת‬ ‫חלקי‬ ‫באופן‬ ‫אפשרית‬‫אפשרית‬ ‫אובייקטים‬ ‫סמך‬ ‫על‬ ‫בהתאם‬ ‫חוקים‬ ‫קביעת‬ ‫מה‬–Active Directory ‫אפשרית‬ ‫לא‬‫אפשרית‬ ‫ב‬ ‫תמיכה‬–IPv6‫דורשת‬ ‫אבל‬ ‫אפשרית‬SP(‫עבור‬Windows XP – SP2,‫עבור‬Windows Server 2003 – SP1) ‫ב‬ ‫צורך‬ ‫ללא‬ ‫אפשרית‬–SP
  9. 9. Only a subset of the executable files and DLLs installed No GUI interface installed 9 available Server Roles Can be managed with remote tools
  10. 10. Customization Troubleshooting Administration True application deployment Application and health management
  11. 11. • Arsenal of Admin Tools • Delegated Management • Secure Remote Management • Shared Config for Web Farms Better Tools Intuitive, Task Oriented GUI .NET Management API Unified WMI Provider for IIS/ASP.NET Powerful Command Line Support Rich Runtime State Information Automatic Failure Tracing & Logging Site Owner Web.config XML Administrator Internet Manage Remotely Secure HTTPS AppHost.config XML Shared Config Shared App Hosting Web FarmApp
  12. 12. Group Policy allows central encryption policy and provides Branch Office protection Provides data protection, even when the system is in unauthorized hands or is running a different or exploiting Operating System Uses a v1.2 TPM or USB flash drive for key storage Full Volume Encryption Key (FVEK)Encryption Policy
  13. 13. ‫פתרון‬ ‫מתקפה‬ ‫בזמן‬ hibern ate ‫מתקפה‬ ‫בזמן‬ sleep/ standby ‫מתקפה‬ ‫כנגד‬ ‫תהליך‬ ‫האתחול‬ ‫מתקפה‬ ‫כנגד‬ online ‫מערכת‬ ‫ההפעלה‬ ‫חשיפת‬ ‫מפתחות‬ ‫בזמן‬ offline ‫מתקפה‬ ‫המבוססת‬ ‫על‬ ‫חשיפת‬ ‫סיסמאות‬ ‫טעויות‬ ‫משתמש‬ ‫זליגת‬ ‫מידע‬ plaint ext ‫גניבת‬ ‫המחשב‬ ‫בלבד‬ TPM ‫בלבד‬ USB PIN ‫בשילוב‬ TPM  USB ‫בשילוב‬ TPM 
  14. 14. AD RMS protects access to an organization’s digital files AD RMS in Windows Server 2008 includes several new features Improved installation and administration experience Self-enrollment of the AD RMS cluster Integration with AD Federation Services New AD RMS administrative roles Information Author The Recipient
  15. 15. Protected emails
  16. 16. Add users with Read and Change permissions Verify aliases & DLs via AD Add advanced permission s
  17. 17. Set expiration date Enable print, copy permissions Add/remove additional users Contact for permission requests Enable viewing via RMA
  18. 18. Protected doc library
  19. 19. AD FS provides an identity access solution Deploy federation servers in multiple organizations to facilitate business-to- business (B2B) transactions AD FS provides a Web- based, SSO solution AD FS interoperates with other security products that support the Web Services Architecture AD FS improved in Windows Server 2008 Web Server Account Federation Server Resource Federation Server LeadcomDario Federation Trust
  20. 20. Main Office Branch Office Features Benefits RODC
  21. 21. Enterprise PKI (PKIView) Online Certificate Status Protocol (OSCP) Network Device Enrollment Service Web Enrollment
  22. 22. Cryptography Next Generation (CNG) Includes algorithms for encryption, digital signatures, key exchange, and hashing Supports cryptography in kernel mode Supports the current set of CryptoAPI 1.0 algorithms Support for elliptic curve cryptography (ECC) algorithms Perform basic cryptographic operations, such as creating hashes and encrypting and decrypting data
  23. 23. ‫נושא‬CryptoAPICNG ‫סימטרית‬ ‫בהצפנה‬ ‫תמיכה‬ ‫א‬ ‫בהצפנה‬ ‫תמיכה‬-‫סימטרית‬ ‫ב‬ ‫תמיכה‬–hash ‫דיגיטליות‬ ‫בתעודות‬ ‫תמיכה‬‫באמצעות‬CAPI 2.0 ‫ארכיטקטורה‬CSPProtocol provider, CNG routers, CNG primitives ‫הצפנה‬ ‫במנגוני‬ ‫תמיכה‬legacy ‫אין‬ ‫אקראיים‬ ‫מספרים‬ ‫מחולל‬ ‫החלפת‬ ‫מחדש‬ ‫הקוד‬ ‫כתיבת‬ ‫דורשת‬‫בקוד‬ ‫מהותי‬ ‫שינוי‬ ‫ללא‬ ‫אפשרית‬ ‫חדשים‬ ‫אלגוריתמים‬ ‫שילוב‬ ‫אפשרי‬ ‫לא‬–‫קשיחה‬ ‫רשימה‬‫אפשרית‬–‫לעידכון‬ ‫וניתנת‬ ‫דינמית‬ ‫רשימה‬ ‫מרכזי‬ ‫ניהול‬ ‫מנגנון‬ ‫אין‬‫ה‬ ‫באמצעות‬ ‫אפשרי‬–key storage API ‫ב‬ ‫תמיכה‬–Suite B‫אין‬ ‫אלגוריתמים‬ CAPI 1.0 AES , SHA1 , SHA2, DSA, RSA,ECC,DH,ECDSA,ECDH,MD2,MD4,MD5, CAPI 1.0 ‫הפרטי‬ ‫המפתח‬ ‫הפרדת‬ ‫מהאפליקציה‬ ‫אפשרי‬ ‫לא‬‫באמצעות‬ ‫לביצוע‬ ‫אפשרי‬key isolation process ‫המפתחות‬ ‫שמירת‬ ‫מיקום‬ ‫הפרטיים‬ ‫ל‬ ‫מקושר‬–SID,‫תהליך‬ ‫על‬ ‫מקשה‬ ‫דומיינים‬ ‫בין‬ ‫מעבר‬ ‫ל‬ ‫מקושר‬ ‫לא‬–SID,‫בין‬ ‫מעבר‬ ‫תהליך‬ ‫לבצע‬ ‫קל‬ ‫דומיינים‬ ‫המפתחות‬ ‫שמירת‬ ‫פורמט‬‫סיומת‬REG,‫של‬ ‫מגבלה‬256‫תווים‬ ‫בשם‬ ‫סיומת‬ ‫ללא‬ ‫חדש‬ ‫פורמט‬REG,‫של‬ ‫מגבלה‬512‫תווים‬ ‫בשם‬
  24. 24. Internet Perimeter Network Corporate Network Remote/ Mobile User Terminal Services Gateway Network Policy Server Active Directory DC Tunnels RDP over HTTPs Strips off RDP / HTTPs Terminal Servers and other RDP Hosts RDP traffic passed to TS Internet
  25. 25. Remediation Servers Example: Patch Restricted Network Windows Client Policy compliant NPS DHCP, VPN Switch/Router Policy Servers such as: Patch, AV Corporate Network Not policy compliant What is Network Access Protection? Health Policy Validation Health Policy Compliance Ability to Provide Limited Access Enhanced Security Increased Business Value
  26. 26. 1 Remediation Servers Example: Patch Restricted Network 1 Windows Client 2 2 DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS) 3 3 Network Policy Server (NPS) validates against IT- defined health policy 4 If not policy compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, configurations, signatures (Repeat 1 - 4) Not policy compliant 5 If policy compliant, client is granted full access to corporate network Policy compliant NPS DHCP, VPN Switch/Router 4 Policy Servers such as: Patch, AV Corporate Network 5 Client requests access to network and presents current health state
  27. 27. 41 Internet Protocol security (IPsec)-protected communications IEEE 802.1X-authenticated network connections Remote access virtual private network (VPN) connections Dynamic Host Configuration Protocol (DHCP) configuration
  28. 28. Policy based – was network access allowed • Health based - % compliant per SHA
  29. 29. http://www.dario.co.il/blog
  30. 30. Amit Gatenyo Infrastructure & Security Manager Dario IT Solutions ltd amit.g@dario.co.il 054-2492499

×