Anirudh Singh Rautela Security & Privacy Initiative Lead & Product Marketing Manager Security Microsoft
Integrated security eases defense in depth architecture deployment Adoption of open standards allows cross platform integration Management System Data User Application Device Internal Network Perimeter System Center, Active Directory GPO BitLocker, EFS, RMS, SharePoint, SQL Active Directory and Identity Lifecycle Mgr SDL process, IIS, Visual Studio, and.net Forefront Client Security, Exchange MSFP Network Access Protection, IPSec Forefront Edge and Server Security, NAP
Viruses and worms Botnets and rootkits Need 24/7 uptime Information loss/leakage Personal info online Consumerization of IT Unauthorized access Phishing and fraud Regulatory compliance Corporate policies Spyware Patch management Unmanaged PCs Spam Inappropriate content
Secure Platform Security Development Lifecycle (SDL) Kernel Patch Protection Kernel-mode Driver Signing Secure Startup Windows Service Hardening x64 Hardware Integration Data Protection Rights Management Services (RMS) SharePoint, Exchange, Windows Mobile integration Encrypting File System (EFS) Bitlocker & Bitlocker To Go Secure Access User Account Control Network Access Protection (NAP) IPv6 IPsec Windows CardSpace Native smart card support GINA Re-architecture Certificate Services Credential roaming AppLocker TM DirectAccess Malware Protection Windows Defender IE Protected Mode Address Space Layout Randomization (ASLR) Data Execution Prevention (DEP) Bi-directional Firewall / multi profile Support Windows Security Center
Secure Platform Security Development Lifecycle (SDL) Windows Server Virtualization (Hypervisor) Role Management Tool OS File Integrity Data Protection Rights Management Services (RMS) Full volume encryption (Bitlocker) USB Device-connection rules with Group Policy Improved Auditing Windows Server Backup EFS File Classification Infrastructure Network Protection Network Access Protection (NAP) Server and Domain Isolation with IPsec End-to-end Network Authentication Windows Firewall With Advanced Security On By Default DirectAccess Identity Access Read-only Domain Controller (RODC) Active Directory Federation Services (ADFS) Administrative Role Separation PKI Management Console Online Certificate Status Protocol
What is Active Directory? Foundation for Identity & Access Management Windows Users Windows Servers Windows Clients Account Information Privileges Profiles Policies Single Sign-On Network Resources File Shares Printers Policies Configuration Security Quarantine Policies Microsoft Products Product Information Privileges Profiles Policies Automated deployment Active Directory Operational Efficiency Improved Security Improved Productivity Interoperability Network Devices Configuration Quality of Service Security Policies Single Sign-On Other Systems Directories Databases Mainframes UNIX 3 rd Party Applications Single Sign-On Automated deployment Configuration App-specific directory data Firewall Services Configuration Security Policy VPN & Remote Access Quarantine Single Sign-On Focal point for network & user management Central authority for network & application security Integration point for bringing systems together
Increase IT Operational Efficiency Increase efficiency of managing Windows by up to 30% Reduce the number of directories and passwords Central management of Windows servers & desktops Strengthen Security Automate the lockdown of Windows systems Enforce the use of strong passwords & credentials Simplify managing access to network resources Improve Employee Productivity Find people, applications, and resources faster Empower employees with rich collaboration capabilities Single Sign-on to integrated applications and resources
Firewall E-Mail VPN Focal point for user management Secure credential store Single sign on to network resources User provisioning Password management HR System Windows and Active Directory Unix
Do more with less effort One administrator action New Policy Active Directory 5000+ Security Settings GP enables admins to set and maintain the needed computing state Group Policy Management Console (GPMC) makes administration much easier Many end-user results Many computer results
Use Group Policy to: Manage configuration of servers, desktops & groups of users Automate enforcement of IT policies Automate system updates & application installations Consistently implement security settings across the enterprise Implement standard computing environments for users
Gain control on desktop and server security centrally Users cannot change IP addresses or profiles Users cannot edit registry, pen drive, floppy, time Pre-populate needed icons in the task bar or Start menu Disable command prompts or RUN options also leading to more security Reduce helpdesk calls
USE SCM 2.0
Automatic security baseline updates Centralized baseline library: unified experience from security baseline deployment to compliance check Baseline customization, exporting & management Monitor and report security baseline compliance using System Center DCM
DEMO 1 GPO & SCM
Inbound and Outbound Filtering New Management Console Integrated Firewall and IPsec Policies Rule Configuration on Active Directory Groups and Users Support for IPv4 and IPv6 Advanced Rule Options On by Default
Policy-based solution that Validates whether computers meet health policies Limits access for noncompliant computers Automatically remediates noncompliant computers Continuously updates compliant computers to maintain health state Intranet Standards-based Plug and Play Works with most devices Supports multiple antivirus solutions Has become the standard for Network Access Control
How it works 1 Access requested 1 Policy Servers e.g.., Patch, AV 2 3 Health state sent to NPS (RADIUS) NPS validates against health policy 2 Microsoft NPS 3 Not policy compliant 5 Restricted Network Remediation Servers e.g., Patch 4 5 If compliant, access granted If not compliant, restricted network access and remediation DCHP, VPN Switch/Router Policy compliant 4 Corporate Network
Corporate Network Trusted Resource Server Active Directory Domain Controller Unmanaged/Rogue Computer Untrusted X Managed Computer Domain Isolation X Managed Computer HR Workstation Servers with Sensitive Data Server Isolation Enable Block Managed Define Distribute inbound tiered-access the computers logical policies connections isolation to can and sensitive communicate credentials from boundaries resources untrusted
Internet Security Threats Browser and add-on vulnerabilities Web application security improvements Protection against socially-engineered attacks Privacy Improvements
Building on IE8 and addressing the evolving threat landscape Freedom from intrusion Social Engineering & Exploits Reduce unwanted communications International Domain Names Pop-up Blocker Increased usability Protection from harm Browser & Web Server Exploits Protection from deceptive websites, malicious code, online fraud, identity theft Control of information Choice and control Clear notice of information use Provide only what is needed Secure Development Lifecycle Extended Validation (EV) SSL certs SmartScreen Filter + URL Verify Domain Highlighting XSS Filter/ DEP/NX ActiveX Controls Download Reputation n User-friendly, discoverable notices P3P-enabled cookie controls Delete Browsing History InPrivate Browsing & Filtering
Security in IE8 and IE9 SmartScreen Filter Internet Explorer 8 Internet Explorer 9 Download Reputation Improvements to SmartScreen URL reputation InPrivate Browsing InPrivate Filtering Tab isolation and recovery Cross-Site Scripting Filter ClickJacking protection Domain Highlighting User preference protection Cross-Domain Requests
Web Browser Security: Secure & Most Reliable Report Available here IE9 with Smart Screen offers the best protection of any browser against socially engineered malware Source: NSS Labs Web Browser Security Socially-Engineered Malware Protection http://www.nsslabs.com/browser-security
Group Policy for IE 9 Security Restrict users from making configuration changes Configure SmartScreen Filter settings Restrict which add-ons may be installed or run Ensure users are not spoofed by fraudulent certificates or unsigned software Control which HTTPS algorithms are enabled Control which security zone settings are applied to specified sites Reduce attack surface
34 Demo IE lockdown with GPO
Restrict what software can run on the desktop Other than software by IT Dept., no other software can run on the desktop Helps in compliance of software policies Helps implement policies on Software based on users Software can be upgraded / uninstalled automatically
Situation Today Windows 7 Solution AppLocker Users can install and run nonstandard applications Even standard users can install some types of software Unauthorized applications may: Introduce malware Increase helpdesk calls Reduce user productivity Undermine compliance efforts Eliminate unwanted/unknown applications in your network Enforce application standardization within your organization Easily create and manage flexible rules using Group Policy
Technical Details Simple Rule Structure: Allow, Exception & Deny Publisher Rules Product Publisher, Name, Filename & Version Multiple Policies Executables, installers, scripts & DLLs Rule creation tools & wizard Audit only mode SKU Availability AppLocker Enterprise Legacy SRP Business & Enterprise
RMS EFS BitLocker Policy definition and enforcement Helps protect information wherever it travels Integrated RMS Client Policy-based protection of document libraries in SharePoint User-based file and folder encryption Ability to store EFS keys on a smart card Easier to configure and deploy Roam protected data between work and home Share protected data with co-workers, clients, partners, etc. Improve compliance and data security
Threats & Counter measures Security Risk Management Guide Fundamental Computer Investigation Guide for Windows Microsoft Security Assessment Tool 4.0 (MSAT) MBSA Tool & Scripts Microsoft Security Compliance Manager 2.0 Security Awareness Toolkit SysInternals Toolkit Security Literature to read Misc. Security Tools for Admins err.exe Attack Surface Analyzer - Beta Enhanced Mitigation Experience Toolkit (EMET) MDOP Pack!
Services A well Managed Secure Infrastructure is the key! Edge Server Applications Active Directory Federation Services (ADFS) Client and Server OS Certificate Lifecycle Management Information Protection Identity & Access Management Systems Management Configuration Manager 2007 Operations Manager 2007 Data Protection Manager Mobile Device Manager 2008 SDL TWC
http://msdn.microsoft.com/ http://technet.microsoft.com/ msdnindia @msdnindia technetindia @technetindia
Description Free e-learning program 100, 200 and some 300 level-multiproduct content Organized by product, careers & specializations 5 tracks released, 1 more every week Online and offline components Register and study a course in MVA www.microsoftvirtualacademy.com