Session 2 – Windows Vista Security

June 4-8 Orlando

8/15/2007

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

1

8/15/2007

PRCN09

Windows Vista Defense Technologies

Internet Explorer 7 Defense Technologies

Protect Sensitive Data

Vista Security Guide

Network Access Protection




2

8/15/2007

Kernel Patch Protection

User Account Control

Windows Defender

Windows Firewall

Windows Security Center

Malicious Software Removal Tool

Software Restriction Policies

Threat

Malicious Code, Rootkits

Mitigation

Kernal Patch Protection (PatchGuard)

What you get

Reliability

Performance

Security

What you need to know

Requires 64bit OS

You will need signed drivers

You can’t turn it off




3

8/15/2007

Threat

Dumb users

Mitigation

User Account Control


All users run as standard user (even admins)

Vista fixes XP gripes

Time zone, printers, WEP, VPN, Power management.

You can turn it off …. Don’t

Educate users

Threat

Malware

Mitigation

Windows Defender

What you get

Real-time protection

Scheduled scans

Automatic Updates


Limited GP control




4

8/15/2007




5

Threat

Network based attacks, worms

Mitigation

Windows Firewall with Advanced Security

What you get

Inbound and outbound protection

Improved Network Location Awarenesss (NLA)

Intergrated IPSec management

Rules based on programs or ports


Test your apps

Understand profiles (Domain, Private, Public)

8/15/2007




6

Threat

Mis-configuration

Out of date applicatioins

Mitigation

Windows Security Center

What you get

One stop overview

AV, Malware, Updates, IE Settings

Remediation

Advice

Actions

8/15/2007

Workgroup machine




7

8/15/2007

Domain machine

Threat

Machines infected with common malware

Mitigation

Malicious Software Removal Tool


Removes 100 known Malware types & their variants

See KB 890830 for full details

Not a replacement for a proper anti-malware solution e.g. Forefront Client Security

What you need to do

Released as part of Patch Tuesday




8

Threat

Un-trusted or malicious code

Mitigation

Software Restriction Policies


Allow everything to run except

Allow nothing to run except

Identifying software

Hash, Certificate, Path, Network zone

8/15/2007




9

8/15/2007




10

8/15/2007

Protected Mode

ActiveX Opt-in

Phishing Filter




11

8/15/2007

Threat

Malicious or Compromised Websites or content

Mitigation

IE7 Protected Mode

What you get

IE runs at a lower privilege than users

Restricts access to the OS & file system

Users can turn it off

Threat

Website uses a previously installed ActiveX control maliciously

Mitigation

IE7 ActiveX Opt-in

What you get

Only explicitly allowed ActiveX controls are allowed to run

Greater control




12

8/15/2007

Threat

Private or sensitive information exposure

Mitigation

IE7 Phishing filter


Uses online service to compare website to list of known fraudulent sites

Analyses sites for common traits of phishing sites

Controllable through Group Policy




13

8/15/2007

BitLocker Drive Encryption

Encryption File System

Rights Management Services

Device Control

Threat

Stolen or lost laptops with sensitive data

Mitigation

BitLocker Drive Encryption

What you get

Protection against modification of boot components

Protection of the drive containing the operating system and all the data on that drive




14


Encrypts the boot volume and all data on it

Requires a separate system volume of at least 1.5Gb

Vista does not support encryption of data volumes

Trusted Platform Module 1.2

Things to watch out for

Bios upgrades

Hardware maintenance

Moving disks between machines

Recommendations

Use TPM + Pin

Configure AD for BitLocker Recovery

Extend Schema

Configure permissions on Computer objects

Configure Group Policy

8/15/2007




15

Threat

Data loss from stolen laptops

Unauthorised data access on shared systems

Mitigation

Encryption File System


PKI & key recovery is essential

Provides for protection of data volumes in addition to the

Boot volume

Vista supports multi user access to encrypted content

8/15/2007

What you get

Support for storing encryption keys on smart cards

Centralized administration of EFS protection policies

Per-user encryption of the client-side cache (offline files)

System page file encryption

A simpler way to update encryption keys with the

Rekeying Wizard




16

8/15/2007

Computer Configuration\Windows Settings\Security Settings\

Public Key Policies\Encrypting File System

Threat

Unauthorised access or distribution of data

Mitigation

Rights Management Services

What you need

RMS Server

RMS Client

RMS Applications

PKI




17

8/15/2007

Threat

Data theft

Malware

Mitigation

Device Control


Block on device ID or class

Enable specific devices

Bitlocker

Allow & Prevent interaction




18

8/15/2007

Windows Vista Security Guide

Packaged solution

Guidance

Best practices

References

GPO Accelerator Tool

Predefined Solutions

Enterprise Client (EC)

Typical corporate desktop or laptop

Specialized Security – Limited Functionality (SSLF)

High security environment requiring maximum security




19

Threat

Non compliant machines compromising the network

Mitigation

Network Access protection


Health State Validation

Health Policy Compliance

Limited Access

8/15/2007

Components

System Health Agents

Vista,

Windows XP SP2 with NAP client for Windows XP

Windows Server 2008

System Health Validators

Windows Server 2008

Network Policy Servers (formerly IAS)

Remediation Servers

Health Registration Authority




20

Enforcement options

IPSec

802.1x

VPN

DHCP

8/15/2007




21

8/15/2007

SEC10-HOL, Securing Windows Vista: Using the windows Vista Security Guide and the

GPOAccelator

CLI219, Securing Windows Vista with Software and Device Restriction Policies, Russ

Humphries

CLI426, Windows Vista Kernel Changes, Mark Russinovich

OFC348, Desktop and Document Security; Guidance and Tools for Protecting your environment, Ross Carter & Flicka Enloe

SEC01TLC, Your Customers’ Laptop Data is at Risk! Protecting Customer Data with the

Data Encryption Toolkit for Mobile PCs, Bill Canning

SEC07-HOL, Securing Your Network Using Microsoft Network Access Protection (NAP)




22

8/15/2007

Windows Vista Security Guide http://www.microsoft.com/technet/windowsvista/security/guide.mspx

Microsoft Network Access Protection http://www.microsoft.com/nap

Technical Communities, Webcasts, Blogs, Chats & User Groups http://www.microsoft.com/communities/default.mspx

Microsoft Learning and Certification http://www.microsoft.com/learning/default.mspx

Microsoft Developer Network (MSDN) & TechNet http://microsoft.com/msdn http://microsoft.com/technet

Trial Software and Virtual Labs http://www.microsoft.com/technet/downloads/trials/default.mspx

Complete an evaluation on

CommNet and enter to win!




23




8/15/2007




24

Session 2 – Windows Vista Security

Complete an evaluation on

CommNet and enter to win!

Related documents

Products

Support

Session 2 – Windows Vista Security

Complete an evaluation on

CommNet and enter to win!

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib