Date post: | 22-Dec-2015 |
Category: |
Documents |
View: | 217 times |
Download: | 1 times |
Microsoft ConfidentialMicrosoft Confidential
• Windows Server 2008 Security and Microsoft Security
Bruce LynnDirector of Server Business Group UKMicrosoft Corporation
Microsoft ConfidentialMicrosoft Confidential
Viruses, Spyware and WormsBotnets and RootkitsPhishing and Fraud
Deploying Security UpdatesSystem Identification and ConfigurationSecurity Policy Enforcement
Identity Management and Access ControlManaging Access in the Extended EnterpriseSecurity Risk of Unmanaged PCs
Regulatory ComplianceDevelop and Implement of Security PoliciesReporting and Accountability
Virus & MalwarePrevention
BusinessPractices
ImplementingDefense in Depth
SecurityManagement
Top Security Challenges
Microsoft ConfidentialMicrosoft Confidential
Trustworthy ComputingSDLSecure by Default
System Center family, Windows Update ServiceGroup Policy, Active DirectorySecurity Bulletins, ‘Patch Tuesdays’, Health Checks
Forefront Security familyIdentity Lifecycle ManagementOneCare, Windows Live Safety Center,
System architectures (file systems, core services)Bitlocker, RODC, Address Space Load Randomization, PKI, Network Access ProtectionReduced Attack Surface (Server Core)
Secure Software
Secure Platform
Security Solutions
SecurityManagement
Security Dimensions
Microsoft ConfidentialMicrosoft Confidential
Attacks Are Moving To Application Layer
~90% are exploitable remotely~60% are in web applications
Sources: IBM X-Force, Symantec 2007 Security Reports
Series1
4802093
578
4069
504
6099
Vulnerabilities:Major Operating Systems versus Appli-
cation Layer
2004 2005 2006 2004 2005 2006
Operating Systems Applications
Source: Microsoft Security Intelligence Report 2007
Microsoft ConfidentialMicrosoft Confidential
Trustworthy Computing
SQL Server 2005
Visual Studio 2005
Windows Server 2003 SP1
Malicious SW Removal Tool
Windows XP SP2
DSI Launched
TWC AnnouncedSDL begins
Windows Server 2003
Windows DefenderWindows
Live OneCare
2002
Windows VistaOffice 2007
Forefront
2003 2004 2005 2006 20082007
Windows Server 2008SQL Server
2008
Microsoft ConfidentialMicrosoft Confidential
Making SDL Available To Developers
EducationDeveloper security center on MSDNSecurity “How to” videos on MSDN/channel 9
SDL Process
SDL website on Microsoft.comDetailed SDL process guidanceMicrosoft Privacy guidelines
SDL book published in 2006 (Lipner and Howard)
Security Tools
Integrated security tools in Visual StudioSecure compiler and linker flagsStatic code analysis (FxCop,/analyze)Removal of insecure APIs
Threat modeling tools
Microsoft ConfidentialMicrosoft Confidential
Windows Server 2008 SecurityHardens Operating System and Increases Environment Protection
Read-Only Domain
ControllerNetwork Access
Protection
Federated Rights
Management
Security
Microsoft ConfidentialMicrosoft Confidential
Server Protection Features
Development Process
Secure Startup and shield up at install
Code integrity
Windows service hardening
Inbound and outbound firewall
Restart Manager
Address Space Load Randomisation
Improved auditing
Network Access Protection
Event Forwarding
Policy Based Networking
Server and Domain Isolation
Removable Device Installation Control
Active Directory Rights Management Services
Security Compliance
Microsoft ConfidentialMicrosoft Confidential
Windows Server 2008 Hardening
Windows® XP SP2/Server 2003 R2
LocalSystem
Windows Vista/Server 2008
Network Service
Local Service
LocalSystemFirewall Restricted
Network ServiceNetwork Restricted
Local ServiceNo Network Access
LocalSystem
Network ServiceFully Restricted
Local ServiceFully Restricted
Security
Microsoft ConfidentialMicrosoft Confidential
BitLocker™ Drive Encryption
Group Policy allows central encryption policy and provides Branch Office protection
Provides data protection, even when the system is in unauthorized hands or is running a different or exploiting Operating System
Uses a v1.2 TPM or USB flash drive for key storage
Full Volume Encryption Key
(FVEK)Encryption
Policy
Security
Microsoft ConfidentialMicrosoft Confidential
Network Access Protection
RemediationServers
Example: PatchRestrictedNetwork
WindowsClient
Policy compliant
NPSDHCP, VPN
Switch/Router
Policy Serverssuch as: Patch, AV
Corporate Network
Not policy compliant
What is Network Access Protection?
Cisco and Microsoft Integration Story
Health Policy Validation Health Policy Compliance
Ability to Provide Limited Access Enhanced Security
Increased Business Value
Security
Microsoft ConfidentialMicrosoft Confidential
1
RemediationServers
Example: Patch
Using Network Access Protection
RestrictedNetwork
1
WindowsClient
2
2 DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS)
3
3 Network Policy Server (NPS) validates against IT-defined health policy
4
If not policy compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, configurations, signatures (Repeat 1 - 4)
Not policy compliant
5 If policy compliant, client is granted full access to corporate network
Policy compliant
NPSDHCP, VPN
Switch/Router
4
Policy Serverssuch as: Patch, AV
Corporate Network5
Client requests access to network and presents current health state
Security
Microsoft ConfidentialMicrosoft Confidential
AD Rights Management Services
AD RMS protects access to an organization’s digital files
AD RMS in Windows Server 2008 includes several new features
Improved installation and administration experience
Self-enrollment of the AD RMS cluster
Integration with AD Federation Services
New AD RMS administrative rolesInformation Author The Recipient
RMS ServerSQL AD
Security
Microsoft ConfidentialMicrosoft Confidential
Active Directory Federation Services
AD FS provides an identity access solution
Deploy federation servers in multiple organizations to facilitate business-to-business (B2B) transactions
AD FS provides a Web-based, SSO solution
AD FS interoperates with other security products that support the Web Services Architecture
AD FS improved in Windows Server 2008
WebServer
AD AD
AccountFederation
Server
ResourceFederation
Server
AdatumContoso
Federation Trust
Security
Microsoft ConfidentialMicrosoft Confidential
Federated Rights Management
Together AD FS and AD RMS enable users from different domains to securely share documents based on federated identities
AD RMS is fully claims-aware and can interpret AD FS claims
Office SharePoint Server 2007 can be configured to accept federated identity claims
AD AD
AccountFederation
Server
ResourceFederation
Server
AdatumContoso
Federation Trust
RMS
WebSSO
Security
Read-Only Domain Controller
Main Office Branch Office
FeaturesRead Only Active Directory DatabaseOnly allowed user passwords are stored on RODCUnidirectional ReplicationRole Separation
BenefitsIncreases security for remote Domain Controllers where physical security cannot be guaranteed
Support ADFS,DNS, DHCP, FRS V1, DFSR (FRS V2), Group Policy, IAS/VPN, DFS, SMS, ADSI queries, MOM
RODC
Security
Microsoft ConfidentialMicrosoft Confidential
BranchHub
Read Only DC
How RODC Works
Windows Server 2008 DC
1
2
3
4
56
6
123456 User logs on and authenticatesRODC: Looks in DB: "I don't have the users secrets"Forwards Request to Windows Server 2008 DCWindows Server 2008 DC authenticates requestReturns authentication response and TGT back to the RODCRODC gives TGT to User and RODC will cache credentials
RODC
Security
Microsoft ConfidentialMicrosoft Confidential
Cryptography Next Generation
Cryptography Next Generation (CNG)
Includes algorithms for encryption, digital signatures, key exchange, and hashing
Supports cryptography in kernel mode
Supports the current set of CryptoAPI 1.0 algorithms
Support for elliptic curve cryptography (ECC) algorithms
Perform basic cryptographic operations, such as creating hashes and encrypting and decrypting data
Security
Microsoft ConfidentialMicrosoft Confidential
TWC
SDL
SystemsManagement
Operations Manager 2007
Configuration Manager 2007
Data Protection Manager
Mobile Device Manager 2008
Active Directory Federation
Services (ADFS)
Identity & AccessManagement
Certificate Lifecycle
Management
Services
Information Protection
Encrypting File System (EFS)
BitLocker™
Client and Server OS
Server Applications
Edge
Network Access Protection (NAP)
Client and
Server OS
Server
Applications
Edge
Forefront Stirling Management
Microsoft Security: Defense In Depth
Microsoft ConfidentialMicrosoft Confidential
EdgeClient and Server OS Server Applications
What is Microsoft Forefront?
Microsoft Forefront is a comprehensive line of business security products providing greater protection and control through integration with your existing IT infrastructure and through simplified deployment, management, and analysis.
Microsoft ConfidentialMicrosoft Confidential
End-to-End Protection
Live Communication
Server
SharePoint Server
ExchangeMailbox server
Exchange Hub
Transport
ISA Server 2006
ExchangeEdge
Gateway
Live Communication Server (access
proxy)
IM and Documents
IM and Documents
Forefront for ServerAV helps block viruses and inappropriate content inboundAS helps keep viruses off internal serversContent and file filtering helps prevent confidential information from being sent out
ISA ServerFirewall on network edge blocks application layer attacksPre-authenticate users for network accessIsolate and protect network segmentsSecure Exchange/OWA publishingSMTP protocol scanning
ISA Server 2006
Viruses, Worms, Attacks
Management station
Microsoft ConfidentialMicrosoft Confidential
Remove most prevalent viruses Remove all known viruses Real-time antivirus
Remove all known spywareReal-time antispyware
Central reporting and alertingCustomization
MicrosoftForefront
ClientSecurity
MSRT Windows Defender
Windows Live Safety
Center
Windows Live
OneCare
IT infrastructure integration
For Individual Users For Businesses
Current anti-malware offerings
Microsoft ConfidentialMicrosoft Confidential
Core Infrastructure Optimization ModelLeverage IO to understand your security infrastructure
Basic Standardized
Rationalized
Dynamic
No common identity management model
No desktop or server standards, many
images, no management
standardsNo networks and security standards
Adhoc protection of key data
Adhoc, reactive
Desktop, Device and Server Management
Identity and Access Management
Security and Networking
Data Protection and Recovery
IT and Security Process
Federated Identity Management across org. and platform boundaries
Automated IT management, dynamic
resource usage
Automated security and network management
End to end data protection and disaster
recovery
Proactive, Optimize cost & quality, End-to-End
service & policy management
Microsoft ConfidentialMicrosoft Confidential
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.