In this presentation we review the security changes in Windows 2008 and Windows 2008 R2 Saludos, Ing. Eduardo Castro Martínez, PhD – Microsoft SQL Server MVP http://mswindowscr.org http://comunidadwindows.org Costa Rica Technorati Tags: SQL Server LiveJournal Tags: SQL Server del.icio.us Tags: SQL Server http://ecastrom.blogspot.com http://ecastrom.wordpress.com http://ecastrom.spaces.live.com http://universosql.blogspot.com http://todosobresql.blogspot.com http://todosobresqlserver.wordpress.com http://mswindowscr.org/blogs/sql/default.aspx http://citicr.org/blogs/noticias/default.aspx http://sqlserverpedia.blogspot.com/

2. Ing. Eduardo Castro, PhD
Comunidad Windows
ecastro@mswindowscr.org
http://comunidadwindows.org

3. “Windows Server 2008 helps
Macquarie operate… our remote
offices more securely and be able to used RODC to
“We’ll
place domain controllers at sites
efficiently than we could in the
past.” key infrastructure thatwhere physical security has
“The public always been a concern and we’ll
we Phillip Dundas
created through our have much better control over our
deployment of Lead,
Technical Team Windows Server
remote infrastructure.”
Windows Server Group, Information Technology
2008 has fundamentally increased confident that the bank is
Group “We are
the Macquarie Group Limited security more secure, that devices
level of information Loic Calvez
now
that we have at the bank.”Senior Enterprise Infrastructure are secure,
accessing our network Architect
Lafarge
Security Director
and that those devices meet our
PKO Bank Polski current network policy for access.”
Howard Witherby
Senior Vice President of Operations
National Bank & Trust

4. Security Development Lifecycle
Installation Options
Read Only Domain Controller (RODC)
Network Access Protection (NAP)
Others

5. Service DirectAccess BitLocker to Go
Foundation
Mostly Server R2
Mostly Windows 7
Hardening* AppLocker Multiple Firewall
Kernel Patch Enhanced Profiles
Protection* Storage Access Streamlined UAC
Data Execution DNSSEC Biometric
Prevention* Framework
Enhanced
BitLocker* Auditing* HTTP PKI Enroll
Suite-B for EFS, PIV Smartcards
Kerberos, TLS
v1.2 and more

6. Methods of Security and Policy Enforcement
Network Location Awareness
Network Access Protection
Windows Firewall with Advanced Security
Internet Protocol Security
Windows Server Hardening
Server and Domain Isolation
Active Directory Domain Services Auditing
Read-Only Domain Controller
BitLocker Drive Encryption
Removable Device Installation Control
Enterprise PKI

8. Create inbound and outbound rules
Create a firewall rule limiting a service

9. Integrated with WFAS
IPSec improvements
Simplified IPSec policy configuration
Client-to-DC IPSec protection
Improved load balancing and clustering server support
Improved IPSec authentication
Integration with NAP
Multiple authentication methods
New cryptographic support
Integrated IPv4 and IPv6 support
Extended events and performance monitor counters
Network diagnostics framework support

10. What
changes
have been
made to AD
DS
auditing?

11. New Functionality
RODC
AD database
Unidirectional replication
Credential caching
Password replication policy
Administrator role separation
Read-Only DNS
Requirements/special considerations

12. A read-only Active Directory Domain Services
database
Unidirectional replication mitigating misinformation
even if a change is made on a RODC
Caching of only specific attributes based
Credential caching for only specific users
Separation of administrator capabilities
Read-only DNS
Pre-create RODC account allowing local
installation without the need for admin credentials

13. Data protection
Drive encryption
Integrity checking
BDE hardware and software requirements

14. Easier management through PKIView
Certificate Web enrollment
Network device enrollment service
Managing certificate with group policy
Certificate deployment changes
Online certificate status protocol support
Cryptographic next generation

15. Enforce Security Policy
Improve Domain Security
Improve System Security
Improve Network
Communications Security

17. Network Access Protection Network Access Quarantine Control
Internal, VPN, and Remote Access Only VPN and Remote Access
Client Clients
IPSec, 802.1X, DHCP, and VPN DHCP and VPN
NAP NPS and Client included in Installed from Windows Server
Windows Server 2008; NAP client 2003 Resource Kit
included in Windows Vista

18. Automatic remediation
Health policy validation
Health policy compliance
Limited access

19. How it works
Policy Servers
e.g. Patch, Antivirus
3
1 2
Not policy-
compliant
4 Fix Up
Servers
e.g. Patch
Restricted
Windows Microsoft Network
Client NPS
DHCP, VPN, Policy-
Switch/Router compliant
Client requests access to network and presents current
1
health state 5 Corporate Network
DHCP, VPN, or Switch/Router relays health status to
2 Microsoft Network Policy Server (NPS) via Remote
Authentication Dial-In User Service (RADIUS)
Network Policy Server (NPS) validates against IT-defined
3 health policy
If not policy-compliant, client is put in a restricted VLAN
4
and given access to fix up resources to download patches,
configurations, signatures (Repeat 1 - 4)
5 If policy-compliant, client is granted full access to corporate network

20. IPSec
802.1X
VPN
DHCP
NPS
RADIUS

21. Create a NAP policy
Use the MMC to create NAP
configuration settings
Create a new RADIUS client
Create a new system health validator
for Windows Vista and Windows XP
SP2

22. Logical Networks
IPSec Enforcement
IEEE 802.1X
Remote Access VPNs
DHCP

24. Checking the health and status of roaming
laptops
Ensuring the health of corporate desktops
Determining the health of visiting laptops
Verify the compliance of home computers

25. Carefully test and plan all security policies
Implement Network Access Protection
Use Windows Firewall and Advanced
Security to implement IPSec
Deploy Read-Only Domain Controllers,
where appropriate
Implement BitLocker Drive Encryption
Take advantage of PKI improvements

26. Group Policy Changes
How Group Policy works now...
Windows
Group Policy Service
Process Group Policy
Templates Vista/Windows
Server 2008
GP now runs in a
Part of Winlogon ADM
Templates
ADM templates ADM
shared service ADM
ADM Templates now in
difficult to manage ADM ADM
Hardened Service, more ADMX
reliable Local GPOs (ADMX,
ADMX files ADM
ADML)
Multiple flexibility with a single local
Limited Local
Settings
Group Policy Settings GPOs
GPOLGPO’s
Over 800 policy settings in
~1,800 new policy changes LGPO
Local Computer
Local Computer Policy
with Windows Vista LGPO Policy
XP Admin Admin/Non-Admin Group Policy
Extended GP for new Windows
Vista features coverage
Incomplete User
User Specified Group Policy
Network Location missing key
means
Awareness scenarios of
Limited awareness
(NLA) Templates and
Group Policy Central
NLA service provides the latest
changing network Replication
Store
network information ADMX
conditions query or register with
Applications can
Centralized repository ADML
Journal Wrap
NLA for network change indications for ADMX
anyone? Bloated
SysVol
DC Created in the Sysvol
Troubleshootin
Group Policy Logging SYSVOL? l Policie
DC
SysVo
+
gAdministrative log on DC s
+ GUID
Applications and Services log in each domain ADM
+
Userenv log + Policy
XML based event logs New Replicator with
Definitions
ADMX, ADML
Files
GP Result
New Tools - GPOLogView FRS/DFS-R
DFS-R

27. What is new?
GP PowerShell features
Adding to GP scripts extensions
PowerShell cmdlets to perform GP operations
Starter GPOs in-box in Windows 7
Best practices that map to the security guide
ADMX enhancements
GP Preferences enhancements
GP Preferences, new in Windows Server 2008
New items added to support new OS
functionality

28. Import-module GroupPolicy
get-help *-gp*
New Get Set
•New-GPLink •Get-GPInheritance •Set-GPInheritance
•New-GPO •Get-GPO •Set-GPLink
•New-GPStarterGPO •Get-GPOReport •Set-GPPermissions
•Get-GPPermissions •Set-GPPrefRegistryValue
•Get-GPPrefRegistryValue •Set-GPRegistryValue
•Get-GPRegistryValue
•Get-GPResultantSetofPolicy
•Get-GPStarterGPO
Remove Misc
• Remove-GPLink • Backup-GPO
• Remove-GPO • Copy-GPO
• Remove- • Import-GPO
GPPrefRegistryValue • Rename-GPO
• Remove- • Restore-GPO
GPRegistryValue

29. Have heard up to 11,000 GPOs
Not best practice
GPMC has perf issues loading
Management difficulties
Troubleshooting difficulties
Migration difficulties
Recommendation:
Consolidate
AGPM is tested up to 2000 GPOs

30. New UI: More intuitive, integrated help content,
no more tabs
Support for:
REG_MultiSZ
REG_QWORD

31. Starter GPOs & ADMX UI

32. Preference Settings
Not true “Policy”
More control of desktop – more settings!
Not limited to policy-aware applications
Ease of administration through rich UI
Better targeting
New in Windows 7
Support for new Power Plan settings
Support for new Schedule task triggers, actions, etc.

34. Group Policies Group Policy
Preferences
(Native / Managed)
• Users can change
• Setting are enforced, settings
user cannot change • Multiple items per
settings GPO
• Settings revert back to • Can write registry
original setting settings to more than
• Highest precedence HKCU, HKLM hives
• Work only on specific • Granular Targeting of
registry location individual items

35. Drive Mappings
Regional Settings
Printer Mappings
Shortcuts
Start Menu
Internet Explorer
Settings

36. Local Users and
Groups
Services
Network Shares
Environment
Variables

37. Familiar Experience
Clearer to understand
and find
Easy to manage
Better control of individual
settings – Red/Green
Powerful browsers
Avoids typing errors
Configure settings quicker

38. 29 different targeting options
Boolean AND, OR, IS, IS NOT
Wildcard support
“WSBNE*”
Target on the item, not just the GPO

39. Robust targeting
29 types
Item level targeting, Boolean logic (And, Or, Not)
not GPO level Collections
Intuitive UI
No need to learn
query languages

40. Apply once and do not reapply
Remove when no longer applicable
Create – Replace - Update - Delete
More than just Enable vs Disable

41. Active Directory: Windows 2000
Console - Group Policy Manager Console - Snap-
in
Part of the Remote Server Admin Tool (link and end)
One Windows 7 client or Windows Server 2008 R2
Terminal Server
Client - Client Side Extensions (CSE’s)

42. 3000 Total ADMX settings
300 new ADMX settings
IE more than 90 new
Bitlocker
Taskbar
Power
Terminal Services rebranded
“Remote Desktop Services”
Settings Spreadsheet

43. 12 settings added under Security Options
Restrict NTLM (multiple)
Kerberos encryption types
Local System null session fallback
Only supported on Windows 7 & Windows
Server 2008 R2
Settings Spreadsheet

44. Wireless Network (IEEE 802.11) Policies
Public Key Policies
Certificate Services Client - Certificate
Enrollment Policy
BitLocker Drive Encryption
Network Access Protection
Enforcement Clients: Removed RAQ EC and
TS Gateway
Enforcement Clients: Added RD Gateway QEC
Application Control Policies – AppLocker
More info
Advanced Audit Policy Configuration
More info
Name Resolution Policy

45. Storage Storage Compliance Security and
growth cost Information leakage
Increasing data management needs / many data management products
Security
HSM Archive
Backup Encryptio
n
Replicatio
Expiration
n

46. Business IT
Need per project share
Make sure business secret files
do not leak out
Backup files with personal
information to encrypted store
Expire low business impact files
created three years ago and not
touched for a year

48. Step 1:
Classify data
Step 2:
Apply policy
according to
classification

49. Information
Personal
Secrecy
Business IT
Need per project share
Make sure business secret files do
not leak out
Backup files with personal
information to encrypted store
Expire low business impact files created
three years ago and not touched for a year

50. IT Scripts Automatic classification
Location
Step 1: Manual
Content
Classify data Line Of Business
application Owner
Other
Expiration Search
Step 2:
Reports Backup
Apply policy
based on Custom commands Archive
classification
Security Leakage prevention

51. Extensible infrastructure-Partner ecosystem
Inbox end to end scenarios
Integration with SharePoint
Get classification properties Set classification properties
API for external applications API for external applications
Extract Store Apply Policy
Discover
classification Classify data classification based on
Data
properties properties classification
Windows Server 2008 R2
File Classification Extensibility
points

52. When using IPSec – employ ESP with
encryption
Carefully test and verify all IPSec Policies
Consider using Domain isolation
Use quality of service to improve bandwidth
Plan to prioritize traffic on the network
Apply network access protection to secure
client computers

53. IPSec Server Domain Isolation
Full Volume Bitlocker on Servers
New elliptic curve encryption strength
Network Level Authentication for RDP
Service Profiling
New Levels of System Auditing
… and many more

54. © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.