Microsoft Confidential Bruce Lynn Director of Server Business Group UK Microsoft Corporation.

Microsoft ConfidentialMicrosoft Confidential

• Windows Server 2008 Security and Microsoft Security

Bruce LynnDirector of Server Business Group UKMicrosoft Corporation


Viruses, Spyware and WormsBotnets and RootkitsPhishing and Fraud

Deploying Security UpdatesSystem Identification and ConfigurationSecurity Policy Enforcement

Identity Management and Access ControlManaging Access in the Extended EnterpriseSecurity Risk of Unmanaged PCs

Regulatory ComplianceDevelop and Implement of Security PoliciesReporting and Accountability

Virus & MalwarePrevention

BusinessPractices

ImplementingDefense in Depth

SecurityManagement

Top Security Challenges


Trustworthy ComputingSDLSecure by Default

System Center family, Windows Update ServiceGroup Policy, Active DirectorySecurity Bulletins, ‘Patch Tuesdays’, Health Checks

Forefront Security familyIdentity Lifecycle ManagementOneCare, Windows Live Safety Center,

System architectures (file systems, core services)Bitlocker, RODC, Address Space Load Randomization, PKI, Network Access ProtectionReduced Attack Surface (Server Core)

Secure Software

Secure Platform

Security Solutions

SecurityManagement

Security Dimensions


Secure Software


Attacks Are Moving To Application Layer

~90% are exploitable remotely~60% are in web applications

Sources: IBM X-Force, Symantec 2007 Security Reports

Series1

4802093

578

4069

504

6099

Vulnerabilities:Major Operating Systems versus Appli-

cation Layer

2004 2005 2006 2004 2005 2006

Operating Systems Applications

Source: Microsoft Security Intelligence Report 2007


Trustworthy Computing

SQL Server 2005

Visual Studio 2005

Windows Server 2003 SP1

Malicious SW Removal Tool

Windows XP SP2

DSI Launched

TWC AnnouncedSDL begins

Windows Server 2003

Windows DefenderWindows

Live OneCare

2002

Windows VistaOffice 2007

Forefront

2003 2004 2005 2006 20082007

Windows Server 2008SQL Server

2008


Secure Platform


Making SDL Available To Developers

EducationDeveloper security center on MSDNSecurity “How to” videos on MSDN/channel 9

SDL Process

SDL website on Microsoft.comDetailed SDL process guidanceMicrosoft Privacy guidelines

SDL book published in 2006 (Lipner and Howard)

Security Tools

Integrated security tools in Visual StudioSecure compiler and linker flagsStatic code analysis (FxCop,/analyze)Removal of insecure APIs

Threat modeling tools


Windows Server 2008 SecurityHardens Operating System and Increases Environment Protection

Read-Only Domain

ControllerNetwork Access

Protection

Federated Rights

Management

Security


Server Protection Features

Development Process

Secure Startup and shield up at install

Code integrity

Windows service hardening

Inbound and outbound firewall

Restart Manager

Address Space Load Randomisation

Improved auditing

Network Access Protection

Event Forwarding

Policy Based Networking

Server and Domain Isolation

Removable Device Installation Control

Active Directory Rights Management Services

Security Compliance


Windows Server 2008 Hardening

Windows® XP SP2/Server 2003 R2

LocalSystem

Windows Vista/Server 2008

Network Service

Local Service

LocalSystemFirewall Restricted

Network ServiceNetwork Restricted

Local ServiceNo Network Access

LocalSystem

Network ServiceFully Restricted

Local ServiceFully Restricted

Security


BitLocker™ Drive Encryption

Group Policy allows central encryption policy and provides Branch Office protection

Provides data protection, even when the system is in unauthorized hands or is running a different or exploiting Operating System

Uses a v1.2 TPM or USB flash drive for key storage

Full Volume Encryption Key

(FVEK)Encryption

Policy

Security


Network Access Protection

RemediationServers

Example: PatchRestrictedNetwork

WindowsClient

Policy compliant

NPSDHCP, VPN

Switch/Router

Policy Serverssuch as: Patch, AV

Corporate Network

Not policy compliant

What is Network Access Protection?

Cisco and Microsoft Integration Story

Health Policy Validation Health Policy Compliance

Ability to Provide Limited Access Enhanced Security

Increased Business Value

Security


1

RemediationServers

Example: Patch

Using Network Access Protection

RestrictedNetwork

1

WindowsClient

2

2 DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS)

3

3 Network Policy Server (NPS) validates against IT-defined health policy

4

If not policy compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, configurations, signatures (Repeat 1 - 4)

Not policy compliant

5 If policy compliant, client is granted full access to corporate network

Policy compliant

NPSDHCP, VPN

Switch/Router

4

Policy Serverssuch as: Patch, AV

Corporate Network5

Client requests access to network and presents current health state

Security


AD Rights Management Services

AD RMS protects access to an organization’s digital files

AD RMS in Windows Server 2008 includes several new features

Improved installation and administration experience

Self-enrollment of the AD RMS cluster

Integration with AD Federation Services

New AD RMS administrative rolesInformation Author The Recipient

RMS ServerSQL AD

Security


Active Directory Federation Services

AD FS provides an identity access solution

Deploy federation servers in multiple organizations to facilitate business-to-business (B2B) transactions

AD FS provides a Web-based, SSO solution

AD FS interoperates with other security products that support the Web Services Architecture

AD FS improved in Windows Server 2008

WebServer

AD AD

AccountFederation

Server

ResourceFederation

Server

AdatumContoso

Federation Trust

Security


Federated Rights Management

Together AD FS and AD RMS enable users from different domains to securely share documents based on federated identities

AD RMS is fully claims-aware and can interpret AD FS claims

Office SharePoint Server 2007 can be configured to accept federated identity claims

AD AD

AccountFederation

Server

ResourceFederation

Server

AdatumContoso

Federation Trust

RMS

WebSSO

Security

Read-Only Domain Controller

Main Office Branch Office

FeaturesRead Only Active Directory DatabaseOnly allowed user passwords are stored on RODCUnidirectional ReplicationRole Separation

BenefitsIncreases security for remote Domain Controllers where physical security cannot be guaranteed

Support ADFS,DNS, DHCP, FRS V1, DFSR (FRS V2), Group Policy, IAS/VPN, DFS, SMS, ADSI queries, MOM

RODC

Security


BranchHub

Read Only DC

How RODC Works

Windows Server 2008 DC

1

2

3

4

56

6

123456 User logs on and authenticatesRODC: Looks in DB: "I don't have the users secrets"Forwards Request to Windows Server 2008 DCWindows Server 2008 DC authenticates requestReturns authentication response and TGT back to the RODCRODC gives TGT to User and RODC will cache credentials

RODC

Security

Read-only DC Mitigates “Stolen DC”

Attacker PerspectiveHub Admin Perspective

Security


Cryptography Next Generation

Cryptography Next Generation (CNG)

Includes algorithms for encryption, digital signatures, key exchange, and hashing

Supports cryptography in kernel mode

Supports the current set of CryptoAPI 1.0 algorithms

Support for elliptic curve cryptography (ECC) algorithms

Perform basic cryptographic operations, such as creating hashes and encrypting and decrypting data

Security


Security Software


TWC

SDL

SystemsManagement

Operations Manager 2007

Configuration Manager 2007

Data Protection Manager

Mobile Device Manager 2008

Active Directory Federation

Services (ADFS)

Identity & AccessManagement

Certificate Lifecycle

Management

Services

Information Protection

Encrypting File System (EFS)

BitLocker™

Client and Server OS

Server Applications

Edge

Network Access Protection (NAP)

Client and

Server OS

Server

Applications

Edge

Forefront Stirling Management

Microsoft Security: Defense In Depth


EdgeClient and Server OS Server Applications

What is Microsoft Forefront?

Microsoft Forefront is a comprehensive line of business security products providing greater protection and control through integration with your existing IT infrastructure and through simplified deployment, management, and analysis.


End-to-End Protection

Live Communication

Server

SharePoint Server

ExchangeMailbox server

Exchange Hub

Transport

ISA Server 2006

ExchangeEdge

Gateway

Live Communication Server (access

proxy)

E-mail

IM and Documents

E-mail

IM and Documents

Forefront for ServerAV helps block viruses and inappropriate content inboundAS helps keep viruses off internal serversContent and file filtering helps prevent confidential information from being sent out

ISA ServerFirewall on network edge blocks application layer attacksPre-authenticate users for network accessIsolate and protect network segmentsSecure Exchange/OWA publishingSMTP protocol scanning

ISA Server 2006

Viruses, Worms, Attacks

Management station


Remove most prevalent viruses Remove all known viruses Real-time antivirus

Remove all known spywareReal-time antispyware

Central reporting and alertingCustomization

MicrosoftForefront

ClientSecurity

MSRT Windows Defender

Windows Live Safety

Center

Windows Live

OneCare

IT infrastructure integration

For Individual Users For Businesses

Current anti-malware offerings


Security Management


Core Infrastructure Optimization ModelLeverage IO to understand your security infrastructure

Basic Standardized

Rationalized

Dynamic

No common identity management model

No desktop or server standards, many

images, no management

standardsNo networks and security standards

Adhoc protection of key data

Adhoc, reactive

Desktop, Device and Server Management

Identity and Access Management

Security and Networking

Data Protection and Recovery

IT and Security Process

Federated Identity Management across org. and platform boundaries

Automated IT management, dynamic

resource usage

Automated security and network management

End to end data protection and disaster

recovery

Proactive, Optimize cost & quality, End-to-End

service & policy management


© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Date post:	22-Dec-2015
Category:	Documents
View:	217 times
Download:	1 times