{ Security Technologies}

Steve LambTechnical Security Advisor, Microsoft UKhttp://blogs.technet.com/steve_lambStephen.lamb@microsoft.com

”Effective Security”

Agenda• Overview of Windows Server 2008 Security• Windows Service Hardening• Network Access Protection• Read-Only Domain Controllers• AD Rights Management• Auditing• Resources

Windows Server 2008 SecurityArchitecture

Network Access Protection

Read-Only Domain Controller

AD Rights Management Services

Auditing

U UU

Windows Services are profiledReduce size of high risk layersSegment the servicesIncrease number of layers

Kernel DriversK

U User-mode Drivers

KK K

Service 1

Service 2

Service 3

Service…

Service …

Service A

Service B

Windows Services Hardening

Where is the boundary?

?

Network Access Protection

Customers

Partners

Remote Employees

Intranet

Internet

Network Access ProtectionHow It Works

Access requested

Health state sent to NPS (RADIUS)

NPS validates against health policy

If compliant, access granted

If not compliant, restricted network access and remediation

Microsoft NPS

Corporate Network

Policy Serverse.g.., Patch, AV

DCHP, VPNSwitch/Router

RestrictedNetwork

Remediation Serverse.g., Patch

Not policy compliant

Policy compliant

1

35

4

1

3

45

2

2

Read-Only Domain Controller

Main Office Branch Office

RODC

AD Rights Management

• Do NOT Forward–Let’s have a look @ my email

How does RMS work?

Author using Office The Recipient

Windows Server running RMS

SQL Server

Active Directory

2

3

4

5

13

Federated Rights Management

AD AD

AccountFederationServer

ResourceFederationServer

AdatumContoso

Federation Trust

RMS

WebSSO

Auditing - ComparisonWindows Server 2008Windows Server 2003

Updated Event Viewer

Is EFS Dead?

?

A Quick Review

BitLocker

New Windows Firewall• Inbound and Outbound

Filtering• New Management MMC• Integrated Firewall and

IPsec Policies• Rule Configuration on Active

Directory Groups and Users• Support for IPv4 and IPv6• Advanced Rule Options• On by Default (Beta 3)

Untrusted

Unmanaged/Rogue Computer

Domain Isolation

Active Directory Domain Controller

X

Server Isolation

Servers with Sensitive DataHR Workstation

Managed Computer

X

Managed Computer

Trusted Resource Server

Corporate Network

Define the logical isolation boundariesDistribute policies and credentialsManaged computers can communicateBlock inbound connections from untrustedEnable tiered-access to sensitive resources

Server and Domain Isolation

Crypto Next Generation (CNG)

• Native AES 256 in the Kernel• Can plug in new algorithms• FIPS 140-2

Please fill in your Evaluation Form