Security Overview for Windows Vista. Bob McCoy, MCSE, CISSP/ISSAP Technical Account Manager Microsoft Corporation

Similar documents
Windows 7. Qing Liu Michael Stevens

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

Protect Sensitive Data Using Encryption Technologies. Ravi Sankar Technology Evangelist Microsoft Corporation

Whitepaper Enhancing BitLocker Deployment and Management with SimplySecure. Addressing the Concerns of the IT Professional Rob Weber February 2015

BitLocker Drive Encryption Hardware Enhanced Data Protection. Shon Eizenhoefer, Program Manager Microsoft Corporation

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

ADMINISTERING WINDOWS VISTA SECURITY: THE BIG SURPRISES

Computer Security: Principles and Practice

Using BitLocker As Part Of A Customer Data Protection Program: Part 1

Windows 7, Enterprise Desktop Support Technician

Windows 7, Enterprise Desktop Support Technician Course 50331: 5 days; Instructor-led

Course Description. Course Audience. Course Outline. Course Page - Page 1 of 12

Security and Compliance. Robert Nottoli Principal Technology Specialist Microsoft Corporation

70-685: Enterprise Desktop Support Technician

"Charting the Course to Your Success!" MOC D Windows 7 Enterprise Desktop Support Technician Course Summary

Get Success in Passing Your Certification Exam at first attempt!

MarkMlnasi Byron Hynes

Disk Encryption. Aaron Howard IT Security Office

Windows 7, Enterprise Desktop Support Technician

Configuring and Administering Windows 7

Course 50322B: Configuring and Administering Windows 7

ICT Professional Optional Programmes

Windows Server 2008/2012 Server Hardening

Module 3: Resolve Software Failure This module explains how to fix problems with applications that have problems after being installed.

Introducing. Markus Erlacher Technical Solution Professional Microsoft Switzerland

Chapter 4 Application, Data and Host Security

Security. TestOut Modules

Web. Security Options Comparison

iphone in Business Security Overview

FileCloud Security FAQ

Pointsec Enterprise Encryption and Access Control for Laptops and Workstations

Windows Server. Introduction to Windows Server 2008 and Windows Server 2008 R2

ipad in Business Security

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

MS MCITP: Windows 7 Enterprise Desktop Support Technician Boot Camp

Windows BitLocker Drive Encryption Step-by-Step Guide

Configuring Security Features of Session Recording

Administering Windows Server 2012

Securing Active Directory Presented by Michael Ivy

Microsoft Windows 8 Beta Exam by Ding Dong

Windows Server 2008 Essentials. Installation, Deployment and Management

McAfee Firewall Enterprise 8.2.1

IT Networking and Security

System Administration Training Guide. S100 Installation and Site Management

Penetration Testing Windows Vista TM BitLocker TM

Encrypting stored data. Tuomas Aura T Information security technology

Achieving PCI-Compliance through Cyberoam

Operating System Security

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version and higher

Encrypted File Systems. Don Porter CSE 506

HP A-IMC Firewall Manager

Managing BitLocker Encryption

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

Administering Windows Server 2012

Windows Remote Access

Agency Pre Migration Tasks

Security Considerations for DirectAccess Deployments. Whitepaper

A Guide to New Features in Propalms OneGate 4.0

Table of Contents. TPM Configuration Procedure Configuring the System BIOS... 2

ACER ProShield. Table of Contents

Installation Notes for Outpost Network Security (ONS) version 3.2

Navigating Endpoint Encryption Technologies

Encrypting the Private Files on Your Computer Presentation by Eric Moore, CUGG June 12, 2010

Acronis Backup & Recovery 11.5

Symantec Endpoint Encryption Full Disk

Do "standard tools" meet your needs when it comes to providing security for mobile PCs and data media?

DriveLock and Windows 7


A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 3 Installing Windows

AV-006: Installing, Administering and Configuring Windows Server 2012

Windows Advanced Audit Policy Configuration

GE Measurement & Control. Cyber Security for NEI 08-09

Trustworthy Computing

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Installing and Upgrading to Windows 7

McAfee Firewall Enterprise 8.3.1

NNT CIS Microsoft Windows Server 2008 R2 Benchmark Level 1 Member Server v

Bypassing Local Windows Authentication to Defeat Full Disk Encryption. Ian Haken

This section provides a summary of using network location profiles to identify network connection types. Details include:

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

Windows 7, Enterprise Desktop Support Technician

Administering Windows Server 2012

2007 Microsoft Office System Document Encryption

NETASQ SSO Agent Installation and deployment

How To Manage Hard Disk Partitioning In Windows (Windows 8) (Windows 7) (Powerbook) (For Windows 8) And Windows 8 (Pro) (Winstone) (Probation) (Perl

HP IMC Firewall Manager

How to Encrypt your Windows 7 SDS Machine with Bitlocker

Introduction to BitLocker FVE

Deploying iphone and ipad Security Overview

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

DriveLock and Windows 8

CipherShare Features and Benefits

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.

BitLocker Encryption for non-tpm laptops

Locking down a Hitachi ID Suite server

Windows Server 2008 R2 Essentials

Windows Server 2008 R2 Boot Manager Security Policy For FIPS Validation

FDCC Implementers Workshop David L. Dixon Sr. Consultant, Microsoft Federal Services FDCC Team

Objectif. Participant. Prérequis. Remarque. Programme. Windows 7, Enterprise Desktop Support Technician (seven)

EMBASSY Remote Administration Server (ERAS) BitLocker Deployment Guide

Transcription:

Security Overview for Windows Vista Bob McCoy, MCSE, CISSP/ISSAP Technical Account Manager Microsoft Corporation

Agenda User and group changes Encryption changes Audit changes User rights New and modified security options Firewall changes SMB v2 BitLocker

Administrator Account

Administrator Account

New Groups

Suite-B Crypto Software and Smart Card Key Storage Providers Cryptographic configuration NIST ECC Prime Curves support (smart cards too) AES SHA-2 IPSec support for AES and ECDH ECC cipher suites in SSL EFS with smart cards

New Auditing Registry value change audit events AD change audit events Improved operation-based audit Audit events for UAC Improved IPSec audit events including support for AuthIP RPC Call audit events Share Access audit events Share Management events Cryptographic function audit events NAP audit events (server only) IAS (RADIUS) audit events (server only)

Event Log Changes

Event Log Changes

Event Log Changes Event Forwarding Set up the service and firewall (Quick Config) on sender Add receiver to sender s Local Admins Set up subscriptions on receiver

User Rights & Privileges All rights for Power Users removed Create global objects does not have INTERACTIVE SE_IMPERSONATE has added IIS_IUSRS and removed ASPNET Logon as a service is now empty by default

New Privileges Access credential manager as a trusted caller Change time zone Create symbolic links Modify an object label Synchronize directory service data Increase a process working set

Security Options with Modified Defaults

Network Access Remotely Accessible Registry Paths

Network Access Shares That Can Be Accessed Anonymously

Network Security Do Not Store LAN Manager Hash Value on Next Password Change

Network Security LAN Manager Authentication Level

Devices Allowed to format and eject removable media

Devices Restrict CD-ROM/Floppy Access to Locally Logged On User Only

Interactive Logon Require Smart Card

New Security Options

Network Access Remotely Accessible Registry Paths and Sub- Paths

Network Access Restrict Anonymous Access to Named Pipes and Shares

System Settings Optional subsystems

Firewall Changes Overview Outbound filtering Filtering based on SIDs Better management UI 5-tuple configuration Local address, remote address, local port, remote port, protocol Integration with IPSec Three profiles Domain, now authenticates to the DCs Private Public Interface type support Per-user rules

SMB v2 Only 16 commands (80 in SMB v1) Implicit sequence number speeds up hashing SHA-256 signatures (MD-5 in SMBv1) Handles reconnections more reliably Client-side file encryption Symbolic links across shares (disabled by default) Better load balancing mitigates

BitLocker The Threats Computer is lost or stolen Theft or compromise of data Attack against corporate network Damage to OS if attacker installs alternate OS Difficult and time-consuming to truly erase decommissioned disks Existing ways to mitigate these threats are too easy for user to circumvent

Secure Startup Ensure boot integrity Protect data when offline Ease equipment recycling Resilient against attack Lock tampered systems Encrypt user data and system files Umbrella protection Simplify recycling Speed data deletion Protect system from offline software-based attacks Prevent boot if monitored files have been altered All data on the volume is encrypted: user, system, page, hibernation, temp, crash dump Third-party apps benefit when installed on encrypted volume Render data useless by deleting TPM key store Erasing takes seconds, not hours

Requires TPM 1.2 Chip Microcontroller affixed to motherboard Stores keys, passwords, digital certificates For BitLocker, TPM stores volume encryption key Key released only when system boots normally; compares each boot process against previously stored measurements Any changes made to encrypted volume renders key irretrievable No user interaction or visibility Keys can be archived in Active Directory for the inevitable Oh shoot! moment Prohibits use of software debuggers during boot

Won t EFS Protect Me? Not quite it s good for those who know what they re doing Users often store data on the desktop is it EFSed? EFS doesn t protect the operating system EFS is very strong against attacks Four levels of key protection Properly configured, EFS is computationally infeasible to crack

Continuum of Protection Laptops Branch office servers Local single user file protection (Windows partition only) Local multi-user file protection Remote file protection Untrusted administrator Remote document policy enforcement BitLocker EFS RMS

OS Co-Existence BitLocker encrypts Windows partition only You won t be able to dual-boot another OS on the same partition OSes on other partitions will work fine Attempts to modify the protected Windows partition will render it unbootable Replacing MBR Modifying even a single bit

Enabling BitLocker Create a 1.5GB active partition This becomes your system partition where OS boots The TPM boot manager uses only 50MB Windows runs from on your boot partition where the system lives Enable TPM chip usually in system BIOS Enable BitLocker in Security Center Update hard disk MBR Encrypt Windows boot partition Generate symmetric encryption key Store key in TPM Encryption begins after reboot

Doesn t Stop Everything Hardware debuggers Online attacks BitLocker is concerned only with the system s startup process Post logon attacks Sabotage by administrators Poor security maintenance

BitLocker Deployment Requires hardware and software upgrades Phase in, start with high priority computers Mostly a feature for laptops Also consider for desktop computers in insecure environments (factory floor, kiosk, ) Enterprise key management Hardware lifecycle management

2002 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information