Windows 7 Noen nyheter Olav Tvedt, Deployment Ranger Microsoft Agenda Sikkerhet for mobile brukere Bitlocker Bitlocker to go Applocker Branch Cache Sikkerhet For Mobile Brukere Securing Anywhere Access Network Security Windows Firewall can coexist with 3rd party products Multi-Home Profiles DNSSec Network Access Protection Ensure that only “healthy” machines can access corporate data Enable “unhealthy” machines to get clean before they gain access DirectAccessTM Security protected, seamless, always on connection to corporate network Improved management of remote users Consistent security for all access scenarios Network Access Protection Policy Servers such as: Patch, AV Health policy validation and remediation Helps keep mobile, desktop and server devices in compliance Reduces risk from unauthorized systems on the network Remediation Servers Restricted Network Example: Patch Not policy compliant Windows Client DHCP, VPN Switch/Router NPS Policy compliant Corporate Network Protect Users & Infrastructure AppLockerTM Enables application standardization within an organization without increasing TCO Increase security to safeguard against data and privacy loss Support compliance enforcement Internet Explorer 8 Protect users against social engineering and privacy exploits Protect users against browser based exploits Protect users against web server exploits Data Recovery File back up and restore CompletePC™ image-based backup System Restore Volume Shadow Copies Volume Revert Windows 7 Backup 7 Friday, October 02, 2009 Microsoft Confidential 7 Application Control AppLockerTM Users can install and run non-standard applications Even standard users can install some types of software Unauthorized applications may: Introduce malware Increase helpdesk calls Reduce user productivity Undermine compliance efforts Eliminate unwanted/unknown applications in your network Enforce application standardization within your organization Easily create and manage flexible rules using Group Policy AppLockerTM Simple Rule Structure: Allow, Exception & Deny Publisher Rules – Product Publisher, Name, Filename & Version Multiple Policies – Executables, installers, scripts & DLLs Rule creation tools & wizard Audit only mode AppLockerTM 10 Protect Data from Unauthorized Viewing RMS Policy definition and enforcement Protects information wherever it travels Integrated RMS Client Policy-based protection of document libraries in SharePoint EFS User-based file and folder encryption Ability to store EFS keys on a smart card BitLockerTM Easier to configure and deploy Roam protected data between work and home Share protected data with co-workers, clients, partners, etc. Improve compliance and data security Data Protection Scenarios Scenario Remote document policy enforcement Protect content in transit Protect content during collaboration Local multi-user file & folder protection on a shared machine Remote file & folder protection Untrusted network administrator Laptop protection Branch office server Local single-user file & folder protection RMS EFS BitLockerTM BitLockerTM BitLocker To GoTM + Worldwide Shipments (000s) 1200 1000 800 600 400 200 0 Removable Solid-State Storage Shipments PC Shipments 2007 2008 2009 2010 2011 • Gartner “Forecast: USB Flash Drives, Worldwide, 2001-2011” 24 September 2007, Joseph Unsworth • Gartner “Dataquest Insight: PC Forecast Analysis, Worldwide, 1H08” 18 April 2008, Mikako Kitagawa, George Shiffler III Extend BitLocker™ Drive Encryption to removable devices Create group policies to mandate the use of encryption and block unencrypted drives Simplify BitLockerTM setup and configuration of primary hard drive BitLockerTM Core Enhancements Automatic 200 Mb hidden boot partition New Key Protectors Domain Recovery Agent (DRA) Smart card – data volumes only BitLocker To GoTM Support for FAT* Protectors: DRA, passphrase, smart card and/or auto-unlock Management: protector configuration, encryption enforcement Bitlocker 3 Delt: - Fixed Data Drives - Operating System Drives - Removable Data Drives For de ektreme: - Smart Card selv på Removable Data Drives Friday, October 02, 2009 Microsoft Confidential 15 BitLockerTM 16 Branch Office Network Performance Application and data access over WAN is slow in branch offices Slow connections hurt user productivity Improving network performance is expensive and difficult to implement Caches content downloaded from file and Web servers Users in the branch can quickly open files stored in the cache Frees up network bandwidth for other uses BranchCache Enterprise Recommended for branches without a branch server Easy to deploy: Enabled on clients through Group Policy Cache availability decreases with laptops that go offline 18 Cache stored centrally: existing server in the branch Cache availability is high Enables branch-wide caching Increased reliability BranchCache Distributed Cache ID Data Data BranchCache Hosted Cache ID Data ID ID Search Data ID ID ID Data BranchCache Framework 3rd Party Applications Office CopyFile Explorer Office SharePoint SMB(CSC/SRV) BITS HTTP (WebIO/http.sys) BranchCache WMP IE Security Flow Client requests data from the server, and indicates BranchCache capability – Server authorizes the client – Server retrieves metadata (block hashes, segment hashes, private segment key) for the data – Server sends data on same channel as data Client computes a segment discovery key Broadcasts on the local networkServing clients receive the broadcast – Decrypt the segment hash from the segment discovery key – Respond with data availability Client requests blocks from the serving client – Serving client computes encryption key from the segment private key – Serving client encrypts each block with the encryption key Client receives the data – Decrypts the data – Validates block data against the block hash – If valid, returns to application Security of data at rest Clients – Cache only contains content requested by the client – Data in cache ACL’d so that it is only accessible if authorized by the server – If data leakage is a concern, then use BitLocker or EFS Hosted Cache – Cache contains content requested by all branch clients – Use BitLocker or EFS to encrypt cache as necessary All data can be purged from the cache using netsh Microsoft Confidential Deployment Workshop med Visma Ajourit 2 dagers deployment workshop: Hvordan effektivisere, spare tid og penger WDS, MDT, USMT, WAIK, DISM, WINPE, MAP, ACT og mye mer http://www.visma.no/administrative-tjenester/kurs/visma-kurssenter/Sider/smakebit-paa-microsoft-windows-7.aspx Friday, October 02, 2009 STED Bergen Oslo DATO 5.- 6. Oktober 12.- 13. Oktober Stavanger 19.- 20. Oktober Trondheim 26.- 27.Oktober Microsoft Confidential 24 Linker http://www.microsoft.com/downloads http://www.microsoft.com/springboard http://www.microsoft.no/technet http://technet.microsoft.com/sysinternals http://www.microsoft.com/windows7 http://www.microsoft.com/deploy Whitepapers: - BranchCache Executive Overview - BranchCache Technical Overview - BranchCache Security Guide - BranchCache Early Adopter's Guide - BranchCache Early Adopter's Guide - Windows 7 Walkthrough: BranchCache Friday, October 02, 2009 Microsoft Confidential 25