Windows 7

advertisement
Windows 7
Noen nyheter
Olav Tvedt, Deployment Ranger
Microsoft
Agenda





Sikkerhet for mobile brukere
Bitlocker
Bitlocker to go
Applocker
Branch Cache
Sikkerhet
For
Mobile
Brukere
Securing Anywhere Access
Network Security
Windows Firewall can
coexist with 3rd party
products
Multi-Home Profiles
DNSSec
Network Access
Protection
Ensure that only “healthy”
machines can access
corporate data
Enable “unhealthy”
machines to get clean
before they gain access
DirectAccessTM
Security protected,
seamless, always on
connection to corporate
network
Improved management
of remote users
Consistent security for all
access scenarios
Network Access Protection
Policy Servers
such as: Patch, AV
Health policy validation and remediation
Helps keep mobile, desktop and server
devices in compliance
Reduces risk from unauthorized
systems on the network
Remediation
Servers
Restricted
Network
Example: Patch
Not policy
compliant
Windows
Client
DHCP, VPN
Switch/Router
NPS
Policy
compliant
Corporate Network
Protect Users & Infrastructure
AppLockerTM
Enables application
standardization within an
organization without
increasing TCO
Increase security to
safeguard against data
and privacy loss
Support compliance
enforcement
Internet Explorer 8
Protect users against
social engineering and
privacy exploits
Protect users against
browser based exploits
Protect users against web
server exploits
Data Recovery
File back up and restore
CompletePC™
image-based backup
System Restore
Volume Shadow Copies
Volume Revert
Windows 7 Backup
7
Friday, October 02, 2009
Microsoft Confidential
7
Application Control
AppLockerTM
Users can install and run non-standard
applications
Even standard users can install some
types of software
Unauthorized applications may:
Introduce malware
Increase helpdesk calls
Reduce user productivity
Undermine compliance efforts
Eliminate unwanted/unknown
applications in your network
Enforce application standardization
within your organization
Easily create and manage flexible rules
using Group Policy
AppLockerTM
 Simple Rule Structure: Allow, Exception & Deny
 Publisher Rules
– Product Publisher, Name, Filename & Version
 Multiple Policies
– Executables, installers, scripts & DLLs
 Rule creation tools & wizard
 Audit only mode
AppLockerTM
10
Protect Data from Unauthorized Viewing
RMS
Policy definition
and enforcement
Protects information
wherever it travels
Integrated RMS Client
Policy-based protection of
document libraries in
SharePoint
EFS
User-based file and folder
encryption
Ability to store EFS keys on
a smart card
BitLockerTM
Easier to configure
and deploy
Roam protected data
between work and home
Share protected data with
co-workers, clients,
partners, etc.
Improve compliance and
data security
Data Protection Scenarios
Scenario
Remote document policy enforcement
Protect content in transit
Protect content during collaboration
Local multi-user file & folder protection on a
shared machine
Remote file & folder protection
Untrusted network administrator
Laptop protection
Branch office server
Local single-user file & folder protection
RMS
EFS
BitLockerTM
BitLockerTM
BitLocker To GoTM
+
Worldwide Shipments (000s)
1200
1000
800
600
400
200
0
Removable
Solid-State
Storage
Shipments
PC
Shipments
2007
2008
2009
2010
2011
• Gartner “Forecast: USB Flash Drives, Worldwide, 2001-2011” 24 September 2007,
Joseph Unsworth
• Gartner “Dataquest Insight: PC Forecast Analysis, Worldwide, 1H08” 18 April 2008,
Mikako Kitagawa, George Shiffler III
Extend BitLocker™ Drive Encryption
to removable devices
Create group policies to mandate the
use of encryption and block
unencrypted drives
Simplify BitLockerTM setup and
configuration of primary hard drive
BitLockerTM
Core Enhancements
Automatic 200 Mb hidden boot partition
New Key Protectors
Domain Recovery Agent (DRA)
Smart card – data volumes only
BitLocker To GoTM
Support for FAT*
Protectors: DRA, passphrase, smart card
and/or auto-unlock
Management: protector configuration,
encryption enforcement
Bitlocker
 3 Delt:
- Fixed Data Drives
- Operating System Drives
- Removable Data Drives
 For de ektreme:
- Smart Card selv på Removable Data
Drives
Friday, October 02, 2009
Microsoft Confidential
15
BitLockerTM
16
Branch Office Network Performance
Application and data access over WAN
is slow in branch offices
Slow connections hurt user
productivity
Improving network performance is
expensive and difficult to implement
Caches content downloaded from file
and Web servers
Users in the branch can quickly open
files stored in the cache
Frees up network bandwidth for other
uses
BranchCache
Enterprise
Recommended for branches without a branch
server
Easy to deploy: Enabled on clients through
Group Policy
Cache availability decreases with laptops that
go offline
18
Cache stored centrally: existing server in the
branch
Cache availability is high
Enables branch-wide caching
Increased reliability
BranchCache Distributed Cache
ID
Data
Data
BranchCache Hosted Cache
ID
Data
ID
ID
Search
Data
ID
ID
ID
Data
BranchCache Framework
3rd Party Applications
Office
CopyFile
Explorer
Office
SharePoint
SMB(CSC/SRV)
BITS
HTTP (WebIO/http.sys)
BranchCache
WMP
IE
Security Flow
 Client requests data from the server, and indicates BranchCache
capability
– Server authorizes the client
– Server retrieves metadata (block hashes, segment hashes, private
segment key) for the data
– Server sends data on same channel as data
 Client computes a segment discovery key
 Broadcasts on the local networkServing clients receive the
broadcast
– Decrypt the segment hash from the segment discovery key
– Respond with data availability
 Client requests blocks from the serving client
– Serving client computes encryption key from the segment private key
– Serving client encrypts each block with the encryption key
 Client receives the data
– Decrypts the data
– Validates block data against the block hash
– If valid, returns to application
Security of data at rest
 Clients
– Cache only contains content requested by the client
– Data in cache ACL’d so that it is only accessible if authorized
by the server
– If data leakage is a concern, then use BitLocker or EFS
 Hosted Cache
– Cache contains content requested by all branch clients
– Use BitLocker or EFS to encrypt cache as necessary
 All data can be purged from the cache using netsh
Microsoft Confidential
Deployment Workshop med Visma Ajourit
 2 dagers deployment workshop:
 Hvordan effektivisere, spare tid og penger
WDS, MDT, USMT, WAIK, DISM, WINPE, MAP, ACT og mye mer

http://www.visma.no/administrative-tjenester/kurs/visma-kurssenter/Sider/smakebit-paa-microsoft-windows-7.aspx
Friday, October 02, 2009
STED
Bergen
Oslo
DATO
5.- 6. Oktober
12.- 13. Oktober
Stavanger
19.- 20. Oktober
Trondheim
26.- 27.Oktober
Microsoft Confidential
24
Linker






http://www.microsoft.com/downloads
http://www.microsoft.com/springboard
http://www.microsoft.no/technet
http://technet.microsoft.com/sysinternals
http://www.microsoft.com/windows7
http://www.microsoft.com/deploy
 Whitepapers:
- BranchCache Executive Overview
- BranchCache Technical Overview
- BranchCache Security Guide
- BranchCache Early Adopter's Guide
- BranchCache Early Adopter's Guide
- Windows 7 Walkthrough: BranchCache
Friday, October 02, 2009
Microsoft Confidential
25
Download