Operating System Security

Similar documents
MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

Computer Security: Principles and Practice

Security and Compliance. Robert Nottoli Principal Technology Specialist Microsoft Corporation

Bypassing Local Windows Authentication to Defeat Full Disk Encryption. Ian Haken

Section 12 MUST BE COMPLETED BY: 4/22

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Windows 7, Enterprise Desktop Support Technician Course 50331: 5 days; Instructor-led

Security Considerations for DirectAccess Deployments. Whitepaper

"Charting the Course to Your Success!" MOC D Windows 7 Enterprise Desktop Support Technician Course Summary

Security Overview for Windows Vista. Bob McCoy, MCSE, CISSP/ISSAP Technical Account Manager Microsoft Corporation

Kevin Dean Technology Strategist Education Southeast Microsoft Corporation

PI Server Security Best Practice Guide Bryan Owen Cyber Security Manager OSIsoft

CMPT 471 Networking II

Windows 7, Enterprise Desktop Support Technician

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

70-685: Enterprise Desktop Support Technician

1. Introduction to DirectAccess. 2. Technical Introduction. 3. Technical Details within Demo. 4. Summary

Course Description. Course Audience. Course Outline. Course Page - Page 1 of 12

Setting up VPN and Remote Desktop for Home Use

Windows 7, Enterprise Desktop Support Technician

Setting up VPN and Remote Desktop for Home Use

Anirudh Singh Rautela Security & Privacy Initiative Lead & Product Marketing Manager Security Microsoft

Step-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses

Module 3: Resolve Software Failure This module explains how to fix problems with applications that have problems after being installed.

Trustworthy Computing

Andrea Valboni National Technology Officer Public Sector Microsoft Italy

Protecting Your Organisation from Targeted Cyber Intrusion

Windows 7. Qing Liu Michael Stevens

Preliminary Course Syllabus

FORBIDDEN - Ethical Hacking Workshop Duration

Penetration Testing Windows Vista TM BitLocker TM

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Medical Device Security Health Group Digital Output

Microsoft Security Development Lifecycle for IT. Rob Labbé Application Consulting and Engineering Services

2X SecureRemoteDesktop. Version 1.1

Achieving PCI-Compliance through Cyberoam

MBAM Self-Help Portals

Microsoft Windows Server System White Paper

Seven for 7: Best practices for implementing Windows 7

Maintaining, Updating, and Protecting Windows 7

How To Set Up Safetica Insight 9 (Safetica) For A Safetrica Management Service (Sms) For An Ipad Or Ipad (Smb) (Sbc) (For A Safetaica) (

Session ID: Session Classification:

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Medical Image Manager (MIM) Version 6.1.

How To Prevent Hacker Attacks With Network Behavior Analysis

MS MCITP: Windows 7 Enterprise Desktop Support Technician Boot Camp

Kaspersky Endpoint Security 10 for Windows. Deployment guide

Defender EAP Agent Installation and Configuration Guide

Strong Authentication for Microsoft SharePoint

Troubleshooting GeneMapper ID-X Software for HID Laboratories. AFDAA Meeting Austin, TX Feb, 2013

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

ICT Professional Optional Programmes

Fear Not What Security Can Do to Your Firm; Instead, Imagine What Your Firm Can Do When Secured!

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

Sage HRMS 2014 Sage Employee Self Service Tech Installation Guide for Windows 2003, 2008, and October 2013

Locking down a Hitachi ID Suite server

RSA SecurID Ready Implementation Guide

Enhancing Organizational Security Through the Use of Virtual Smart Cards

Where every interaction matters.

Check Point FDE integration with Digipass Key devices

How we see malware introduced Phishing Targeted Phishing Water hole Download (software (+ free ), music, films, serialz)

Creating a More Secure Device with Windows Embedded Compact 7. Douglas Boling Boling Consulting Inc.

Practice test Domain-2 Security (Brought to you by RMRoberts.com)

PANO MANAGER CONNECTOR FOR SCVMM& HYPER-V

Troubleshooting and Supporting Windows 7 in the Enterprise

Course 6292A: Installing and Configuring Windows 7 Client. About this Course. Audience Profile

CTS2134 Introduction to Networking. Module Network Security

Security. TestOut Modules

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

With a little bit of IPv6 magic: Windows 7 DirectAccess

Single Sign-on (SSO) technologies for the Domino Web Server

Symantec Endpoint Protection Getting Started Guide

Malware & Botnets. Botnets

Windows Phone 8 Security deep dive

Web Application Security

Getting Started. Symantec Client Security. About Symantec Client Security. How to get started

Owner of the content within this article is Written by Marc Grote

Loophole+ with Ethical Hacking and Penetration Testing

Symantec Mail Security for Microsoft Exchange

Quickstart Guide. First Edition, Published September Remote Administrator / NOD32 Antivirus 4 Business Edition

Modern Multi-factor and Remote Access Technologies

Windows Embedded Security and Surveillance Solutions

System Security Policy Management: Advanced Audit Tasks

Security Solution Architecture for VDI

Configure Outlook 2013 to connect to Hosted Exchange

Network Configuration/Bandwidth Planning Scope

MarkMlnasi Byron Hynes

Basic Setup Guide. Remote Administrator 4 NOD32 Antivirus 4 Business Edition Smart Security 4 Business Edition

Transcription:

Operating System Security Klaus Schütz Windows OS Security Microsoft Redmond Before I start My VP love(d) me A frustrated friend 1

Agenda Evolution of Threats Client vs. Server Security Operating System Security Software Development Lifecycle Take aways What s in it for you? Included Broad high level OS Security overview Server AND Client Security Things we (Microsoft) learned Avoid getting burned Not included Deep dive of any technology Many pretty pictures 2

Evolu.on of Computer Threats Local Area Networks First PC virus Boot sector viruses Create notoriety or cause havoc Slow propagation 16-bit DOS Internet Era Macro viruses Script viruses Create notoriety or cause havoc Faster propagation 32-bit Windows Broadband prevalent Spyware, Spam Phishing Botnets Rootkits Financial motivation Internet wide impact 32-bit Windows Peer to Peer Social engineering Application attacks Financial motivation Targeted attacks 64-bit Windows Today s Security Situation High public awareness of Security Broad use of computers Internet is great for committing crime Attacks happen in background Profits from crime are increasing 3

Addressing security challenges Server vs. Client Security Fundamental differences 1. Computer use Server: HTTP, File, Database, Mail, etc Client: Workstation, Laptop, Home Computer 2. Computer user Server: IT Professionals (most of them) Client: Everybody else 4

Server Security Security situation simplified, of course Network Location Open Ports Complex Configurations OS and Application Bugs It s easy to get it wrong Server Security Addressing the Security situation Change location Packet inspecting firewall (e.g. ISA) Configuration wizards (e.g. SCW) Bare bones configuration Well trained IT staff Robust Operating System 5

Client Security Client Security Situation again simplified Changing location (e.g. laptop) Many applications that want to connect Users install almost everything Users want stuff to work OS bugs Many application bugs Users want stuff to work We will steal you credit card information, your private data and all the money in your account. Do you want to continue? Word failed to verify the integrity of the file My PhD Thesis. Do you want to open the file anyway? Windows needs your permission to continue! 6

Client Security Addressing the Security situation (That would be a talk on its own) Robust Operating System Robust Operating System Secure Platform - Overview Isolation Authentication Access control Code signing (drivers and applications) Secure startup / TPM Service hardening Strong and modern cryptography Malware protection Software development lifecycle 7

Secure Platform - Isolation Today User Mode / Kernel Mode Boundary User to service isolation User to user isolation Levels of trust (IE) Future Application isolation Lessons learned System Windows pop up in session zero IE protected mode Secure Platform - Authentication Credential types Username / password Smart Cards / PKI Cardspace OTP / Tokens Protocols Kerberos NTLM Lesson learned Use of blank passwords Weak passwords Default password policy Smart Cards / PKI 8

Secure Platform Access Control Access Control Lists get em right Network Access Protection (NAP) IPSec User Account Control (UAC) BitLocker Secure Platform Signing Drivers The good stuff: Prevents loading of unsigned kernel code Big impact on security The challenge: Requires program for partners Legal program The bad stuff Does not prevent offline attacks Does not always prevent rootkits 9

Secure Platform Signing Applications The good stuff: Prevents loading of unsigned user code Big impact on security The challenge: MANY unsigned applications User experience Legal program The bad stuff Does not always prevent malware I would not know that my VP loves me Secure Platform Secure Startup The good stuff: Prevents offline attacks Guarantees a clean OS The challenge: Requires hardware Quite complex Virtualization 10

Secure Platform Service Hardening The good stuff: Isolates service Limits or prevents access to network Limits attack surface The challenge: Still difficult to get it right Lesson learned: Network access Impersonation Secure Platform Malware Protection Malware protection Windows Defender IE Protected Mode Windows Security Center Address Space Layout Randomization Data Execution Prevention 11

Software Development Lifecycle Ongoing training Attack surface review / threat modeling Expert reviews of designs Development Tools Security documentation Response plan Penetration testing Servicing Attack Surface Review How will the application be used? Who are the users? From where does the data come? How does good data look like? How could bad data look like? How do you authenticate users? How do you control access? 12

Development Tools Programming language Compiler warnings (/W4) Stack overrun protection (/GS) Eliminate dangerous APIs (strcpy) Prefast / prefix Penetration Testing Throw junk at APIs / Interfaces Use bad parameters Outside expert reviews Experts to pen test new software 13

Response Plan Expect bugs Have a contact point (e.g. MSRC) Designate a triage team Know the owner of the code Analyze and understand Come up with the right fix Know how to deploy Document and inform Technology investments Tools Compiler (e.g. /GS) Scan for forbidden APIs (strcpy) Prefast / Prefix 14

What we learned Security starts early in the design Good default settings Firewall on by default - Would have helped Todd Dis/allowed use of blank passwords Strong passwords for domains Smart Cards for secure access No use of Session Zero Restricted use of administrator Configuration wizards for server (SCW) What we learned - continued Install and run as little as possible Avoid asking unnecessary questions If you have to make it really simple 15

Enhancing security - issues Application compatibility Usability Integration into existing deployments 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 16

17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information