{ Security Technologies}
Steve LambTechnical Security Advisor, Microsoft UKhttp://blogs.technet.com/[email protected]
”Effective Security”
Agenda• Overview of Windows Server 2008 Security• Windows Service Hardening• Network Access Protection• Read-Only Domain Controllers• AD Rights Management• Auditing• Resources
Windows Server 2008 SecurityArchitecture
Network Access Protection
Read-Only Domain Controller
AD Rights Management Services
Auditing
U UU
Windows Services are profiledReduce size of high risk layersSegment the servicesIncrease number of layers
Kernel DriversK
U User-mode Drivers
KK K
Service 1
Service 2
Service 3
Service…
Service …
Service A
Service B
Windows Services Hardening
Where is the boundary?
?
Network Access Protection
Customers
Partners
Remote Employees
Intranet
Internet
Network Access ProtectionHow It Works
Access requested
Health state sent to NPS (RADIUS)
NPS validates against health policy
If compliant, access granted
If not compliant, restricted network access and remediation
Microsoft NPS
Corporate Network
Policy Serverse.g.., Patch, AV
DCHP, VPNSwitch/Router
RestrictedNetwork
Remediation Serverse.g., Patch
Not policy compliant
Policy compliant
1
35
4
1
3
45
2
2
Read-Only Domain Controller
Main Office Branch Office
RODC
AD Rights Management
• Do NOT Forward–Let’s have a look @ my email
How does RMS work?
Author using Office The Recipient
Windows Server running RMS
SQL Server
Active Directory
2
3
4
5
13
Federated Rights Management
AD AD
AccountFederationServer
ResourceFederationServer
AdatumContoso
Federation Trust
RMS
WebSSO
Auditing - ComparisonWindows Server 2008Windows Server 2003
Updated Event Viewer
Is EFS Dead?
?
A Quick Review
BitLocker
New Windows Firewall• Inbound and Outbound
Filtering• New Management MMC• Integrated Firewall and
IPsec Policies• Rule Configuration on Active
Directory Groups and Users• Support for IPv4 and IPv6• Advanced Rule Options• On by Default (Beta 3)
Untrusted
Unmanaged/Rogue Computer
Domain Isolation
Active Directory Domain Controller
X
Server Isolation
Servers with Sensitive DataHR Workstation
Managed Computer
X
Managed Computer
Trusted Resource Server
Corporate Network
Define the logical isolation boundariesDistribute policies and credentialsManaged computers can communicateBlock inbound connections from untrustedEnable tiered-access to sensitive resources
Server and Domain Isolation
Crypto Next Generation (CNG)
• Native AES 256 in the Kernel• Can plug in new algorithms• FIPS 140-2
Please fill in your Evaluation Form