Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Windows Server 2008 Security Overview Short


Published on

In this presentation we review the Security Changes in Windows 2008 and Windows 2008 R2.

Ing. Eduardo Castro Martínez, PhD – Microsoft SQL Server MVP
Costa Rica

Technorati Tags: SQL Server
LiveJournal Tags: SQL Server Tags: SQL Server

  • Be the first to comment

Windows Server 2008 Security Overview Short

  1. 1. Ing. Eduardo Castro, PhD Comunidad Windows
  2. 2. “Windows Server 2008 helps Macquarie operate… our remote offices more securely and be able to used RODC to “We’ll place domain controllers at sites efficiently than we could in the past.” key infrastructure thatwhere physical security has “The public always been a concern and we’ll we Phillip Dundas created through our have much better control over our deployment of Lead, Technical Team Windows Server remote infrastructure.” Windows Server Group, Information Technology 2008 has fundamentally increased confident that the bank is Group “We are the Macquarie Group Limited security more secure, that devices level of information Loic Calvez now that we have at the bank.”Senior Enterprise Infrastructure are secure, accessing our network Architect Lafarge Security Director and that those devices meet our PKO Bank Polski current network policy for access.” Howard Witherby Senior Vice President of Operations National Bank & Trust
  3. 3. Security Development Lifecycle Installation Options Read Only Domain Controller (RODC) Network Access Protection (NAP) Others
  4. 4. Service DirectAccess BitLocker to Go Foundation Mostly Server R2 Mostly Windows 7 Hardening* AppLocker Multiple Firewall Kernel Patch Enhanced Profiles Protection* Storage Access Streamlined UAC Data Execution DNSSEC Biometric Prevention* Framework Enhanced BitLocker* Auditing* HTTP PKI Enroll Suite-B for EFS, PIV Smartcards Kerberos, TLS v1.2 and more
  5. 5. Methods of Security and Policy Enforcement Network Location Awareness Network Access Protection Windows Firewall with Advanced Security Internet Protocol Security Windows Server Hardening Server and Domain Isolation Active Directory Domain Services Auditing Read-Only Domain Controller BitLocker Drive Encryption Removable Device Installation Control Enterprise PKI
  6. 6. Create inbound and outbound rules Create a firewall rule limiting a service
  7. 7. Integrated with WFAS IPSec improvements Simplified IPSec policy configuration Client-to-DC IPSec protection Improved load balancing and clustering server support Improved IPSec authentication Integration with NAP Multiple authentication methods New cryptographic support Integrated IPv4 and IPv6 support Extended events and performance monitor counters Network diagnostics framework support
  8. 8. What changes have been made to AD DS auditing?
  9. 9. New Functionality RODC AD database Unidirectional replication Credential caching Password replication policy Administrator role separation Read-Only DNS Requirements/special considerations
  10. 10. A read-only Active Directory Domain Services database Unidirectional replication mitigating misinformation even if a change is made on a RODC Caching of only specific attributes based Credential caching for only specific users Separation of administrator capabilities Read-only DNS Pre-create RODC account allowing local installation without the need for admin credentials
  11. 11. Data protection Drive encryption Integrity checking BDE hardware and software requirements
  12. 12. Easier management through PKIView Certificate Web enrollment Network device enrollment service Managing certificate with group policy Certificate deployment changes Online certificate status protocol support Cryptographic next generation
  13. 13. Enforce Security Policy Improve Domain Security Improve System Security Improve Network Communications Security
  14. 14. Network Access Protection Network Access Quarantine Control Internal, VPN, and Remote Access Only VPN and Remote Access Client Clients IPSec, 802.1X, DHCP, and VPN DHCP and VPN NAP NPS and Client included in Installed from Windows Server Windows Server 2008; NAP client 2003 Resource Kit included in Windows Vista
  15. 15. Automatic remediation Health policy validation Health policy compliance Limited access
  16. 16. How it works Policy Servers e.g. Patch, Antivirus 3 1 2 Not policy- compliant 4 Fix Up Servers e.g. Patch Restricted Windows Microsoft Network Client NPS DHCP, VPN, Policy- Switch/Router compliant Client requests access to network and presents current 1 health state 5 Corporate Network DHCP, VPN, or Switch/Router relays health status to 2 Microsoft Network Policy Server (NPS) via Remote Authentication Dial-In User Service (RADIUS) Network Policy Server (NPS) validates against IT-defined 3 health policy If not policy-compliant, client is put in a restricted VLAN 4 and given access to fix up resources to download patches, configurations, signatures (Repeat 1 - 4) 5 If policy-compliant, client is granted full access to corporate network
  17. 17. IPSec 802.1X VPN DHCP NPS RADIUS
  18. 18. Create a NAP policy Use the MMC to create NAP configuration settings Create a new RADIUS client Create a new system health validator for Windows Vista and Windows XP SP2
  19. 19. Logical Networks IPSec Enforcement IEEE 802.1X Remote Access VPNs DHCP
  20. 20. Checking the health and status of roaming laptops Ensuring the health of corporate desktops Determining the health of visiting laptops Verify the compliance of home computers
  21. 21. Carefully test and plan all security policies Implement Network Access Protection Use Windows Firewall and Advanced Security to implement IPSec Deploy Read-Only Domain Controllers, where appropriate Implement BitLocker Drive Encryption Take advantage of PKI improvements
  22. 22. Group Policy Changes How Group Policy works now... Windows Group Policy Service Process Group Policy Templates Vista/Windows Server 2008 GP now runs in a Part of Winlogon ADM Templates ADM templates ADM shared service ADM ADM Templates now in difficult to manage ADM ADM Hardened Service, more ADMX reliable Local GPOs (ADMX, ADMX files ADM ADML) Multiple flexibility with a single local Limited Local Settings Group Policy Settings GPOs GPOLGPO’s Over 800 policy settings in ~1,800 new policy changes LGPO Local Computer Local Computer Policy with Windows Vista LGPO Policy XP Admin Admin/Non-Admin Group Policy Extended GP for new Windows Vista features coverage Incomplete User User Specified Group Policy Network Location missing key means Awareness scenarios of Limited awareness (NLA) Templates and Group Policy Central NLA service provides the latest changing network Replication Store network information ADMX conditions query or register with Applications can Centralized repository ADML Journal Wrap NLA for network change indications for ADMX anyone? Bloated SysVol DC Created in the Sysvol Troubleshootin Group Policy Logging SYSVOL? l Policie DC SysVo + gAdministrative log on DC s + GUID Applications and Services log in each domain ADM + Userenv log + Policy XML based event logs New Replicator with Definitions ADMX, ADML Files GP Result New Tools - GPOLogView FRS/DFS-R DFS-R
  23. 23. What is new? GP PowerShell features Adding to GP scripts extensions PowerShell cmdlets to perform GP operations Starter GPOs in-box in Windows 7 Best practices that map to the security guide ADMX enhancements GP Preferences enhancements GP Preferences, new in Windows Server 2008 New items added to support new OS functionality
  24. 24. Import-module GroupPolicy get-help *-gp* New Get Set •New-GPLink •Get-GPInheritance •Set-GPInheritance •New-GPO •Get-GPO •Set-GPLink •New-GPStarterGPO •Get-GPOReport •Set-GPPermissions •Get-GPPermissions •Set-GPPrefRegistryValue •Get-GPPrefRegistryValue •Set-GPRegistryValue •Get-GPRegistryValue •Get-GPResultantSetofPolicy •Get-GPStarterGPO Remove Misc • Remove-GPLink • Backup-GPO • Remove-GPO • Copy-GPO • Remove- • Import-GPO GPPrefRegistryValue • Rename-GPO • Remove- • Restore-GPO GPRegistryValue
  25. 25. Have heard up to 11,000 GPOs Not best practice GPMC has perf issues loading Management difficulties Troubleshooting difficulties Migration difficulties Recommendation: Consolidate AGPM is tested up to 2000 GPOs
  26. 26. New UI: More intuitive, integrated help content, no more tabs Support for: REG_MultiSZ REG_QWORD
  27. 27. Starter GPOs & ADMX UI
  28. 28. Preference Settings Not true “Policy” More control of desktop – more settings! Not limited to policy-aware applications Ease of administration through rich UI Better targeting New in Windows 7 Support for new Power Plan settings Support for new Schedule task triggers, actions, etc.
  29. 29. Group Policies Group Policy Preferences (Native / Managed) • Users can change • Setting are enforced, settings user cannot change • Multiple items per settings GPO • Settings revert back to • Can write registry original setting settings to more than • Highest precedence HKCU, HKLM hives • Work only on specific • Granular Targeting of registry location individual items
  30. 30. Drive Mappings Regional Settings Printer Mappings Shortcuts Start Menu Internet Explorer Settings
  31. 31. Local Users and Groups Services Network Shares Environment Variables
  32. 32. Familiar Experience Clearer to understand and find Easy to manage Better control of individual settings – Red/Green Powerful browsers Avoids typing errors Configure settings quicker
  33. 33. 29 different targeting options Boolean AND, OR, IS, IS NOT Wildcard support “WSBNE*” Target on the item, not just the GPO
  34. 34. Robust targeting 29 types Item level targeting, Boolean logic (And, Or, Not) not GPO level Collections Intuitive UI No need to learn query languages
  35. 35. Apply once and do not reapply Remove when no longer applicable Create – Replace - Update - Delete More than just Enable vs Disable
  36. 36. Active Directory: Windows 2000 Console - Group Policy Manager Console - Snap- in Part of the Remote Server Admin Tool (link and end) One Windows 7 client or Windows Server 2008 R2 Terminal Server Client - Client Side Extensions (CSE’s)
  37. 37. 3000 Total ADMX settings 300 new ADMX settings IE more than 90 new Bitlocker Taskbar Power Terminal Services rebranded “Remote Desktop Services” Settings Spreadsheet
  38. 38. 12 settings added under Security Options Restrict NTLM (multiple) Kerberos encryption types Local System null session fallback Only supported on Windows 7 & Windows Server 2008 R2 Settings Spreadsheet
  39. 39. Wireless Network (IEEE 802.11) Policies Public Key Policies Certificate Services Client - Certificate Enrollment Policy BitLocker Drive Encryption Network Access Protection Enforcement Clients: Removed RAQ EC and TS Gateway Enforcement Clients: Added RD Gateway QEC Application Control Policies – AppLocker More info Advanced Audit Policy Configuration More info Name Resolution Policy
  40. 40. Storage Storage Compliance Security and growth cost Information leakage Increasing data management needs / many data management products Security HSM Archive Backup Encryptio n Replicatio Expiration n
  41. 41. Business IT Need per project share Make sure business secret files do not leak out Backup files with personal information to encrypted store Expire low business impact files created three years ago and not touched for a year
  42. 42. Step 1: Classify data Step 2: Apply policy according to classification
  43. 43. Information Personal Secrecy Business IT Need per project share Make sure business secret files do not leak out Backup files with personal information to encrypted store Expire low business impact files created three years ago and not touched for a year
  44. 44. IT Scripts Automatic classification Location Step 1: Manual Content Classify data Line Of Business application Owner Other Expiration Search Step 2: Reports Backup Apply policy based on Custom commands Archive classification Security Leakage prevention
  45. 45. Extensible infrastructure-Partner ecosystem Inbox end to end scenarios Integration with SharePoint Get classification properties Set classification properties API for external applications API for external applications Extract Store Apply Policy Discover classification Classify data classification based on Data properties properties classification Windows Server 2008 R2 File Classification Extensibility points
  46. 46. When using IPSec – employ ESP with encryption Carefully test and verify all IPSec Policies Consider using Domain isolation Use quality of service to improve bandwidth Plan to prioritize traffic on the network Apply network access protection to secure client computers
  47. 47. IPSec Server Domain Isolation Full Volume Bitlocker on Servers New elliptic curve encryption strength Network Level Authentication for RDP Service Profiling New Levels of System Auditing … and many more
  48. 48. © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.