Jayesh Mowjee
Security Consultant
Microsoft
Session Code: SIA 201
Windows 7 Enterprise Security
Building upon the security foundations of Windows Vista,
Windows 7 provides IT Professionals security features that
are simple to use, manageable, and valuable.
Fundamentally
Secure
Platform
Protect
Users &
Infrastructure
Securing
Anywhere
Access
Protect Data
from
Unauthorized
Viewing
Fundamentally Secure Platform
Windows Vista
Foundation
Streamlined User
Account Control
Enhanced Auditing
Security Development Lifecycle
process
Make the system work well for
standard users
XML based
Kernel Patch Protection
Administrators use full privilege
only for administrative tasks
Detailed collection of audit
results
File and registry virtualization
helps applications that are not
UAC compliant
Simplified compliance
management
Windows Service Hardening
DEP & ASLR
Internet Explorer 8 inclusive
Mandatory Integrity Controls
Granular audit categories
User Account Control
System Works for Standard User
All users, including administrators,
run as Standard User by default
Administrators use full privilege only
for administrative tasks or
applications
User provides explicit consent before
using elevated privilege
Disabling UAC removes protections,
not just consent prompt
Reduce the number of OS
applications and tasks that require
elevation
Re-factor applications into
elevated/non-elevated pieces
Flexible prompt behavior for
administrators
Users can do even more as a
standard user
Administrators will see fewer UAC
Elevation Prompts
Desktop Auditing
New XML based events
Fine grained support for audit of
administrative privilege
Simplified filtering of “noise” to
find the event you’re looking for
Tasks tied to events
Granular auditing complex to
configure
Auditing access and privilege use
for a group of users
Simplified configuration results
in lower TCO
Demonstrate why a person has
access to specific information
Understand why a person has
been denied access to specific
information
Track all changes made by
specific people or groups
UAC & Audit
Helping Secure Anywhere Access
Network Security
Policy based network
segmentation for more
secure and isolated logical
networks
Multi-Home Firewall
Profiles
DNSSec Support
Network Access
Protection
DirectAccess
Help ensure that only
“healthy” machines can
access corporate data
Security enhanced,
seamless, always on
connection to corporate
network
Enable “unhealthy”
machines to get clean
before they gain access
Improved management
of remote users
Network Access Protection
Policy Servers
such as: Update, AV
Health policy validation and
remediation
Helps keep mobile, desktop and server
devices in compliance
Reduces risk from unauthorized
systems on the network
Remediation
Servers
Restricted
Network
Example: Update
Not policy
compliant
Windows
Client
DHCP, VPN
Switch/Router
NPS
Policy
compliant
Corporate Network
Remote Access for Mobile Workers
Access Information Virtually Anywhere
Difficult for users to access corporate
resources from outside the office
Challenging for IT to manage, update
mobile PCs while disconnected from
company network
Same experience accessing corporate
resources inside and outside the
office
Seamless connection increases
productivity of mobile users
Easy to service mobile PCs and
distribute updates and polices
Help Protect Users & Infrastructure
AppLockerTM
Enables application
standardization within an
organization without
increasing TCO
Support compliance
enforcement
Internet Explorer 8
Help protect users against
social engineering and
privacy exploits
Help protect users against
browser based exploits
Help protect users against
web server exploits
Data Recovery
File back up and restore
CompletePC™ imagebased backup
System Restore
Volume Shadow Copies
Volume Revert
Application Control
Users can install and run nonstandard applications
Even standard users can install
some types of software
Unauthorized applications may:
Introduce malware
Increase helpdesk calls
Reduce user productivity
Undermine compliance efforts
Eliminate unwanted/unknown
applications in your network
Enforce application
standardization within your
organization
Easily create and manage flexible
rules using Group Policy
AppLocker
Simple Rule Structure: Allow, Exception & Deny
Publisher Rules
Product Publisher, Name, Filename & Version
Multiple Policies
Executables, installers, scripts & DLLs
Rule creation tools & wizard
Including PowerShell cmdlets
Audit only mode
SKU Availability
AppLocker – Enterprise
Legacy SRP – Business & Enterprise
AppLocker
Internet Explorer 8 Security
Freedom from intrusion
Social Engineering & Exploits
Reduce unwanted communications
Protection from harm
Browser & Web Server Exploits
Protection from deceptive websites,
malicious code, online fraud, identity theft
Control of information
Choice and control
Clear notice of information use
Provide only what is needed
International Domain Names
Pop-up Blocker
Increased usability
Secure Development Lifecycle
Extended Validation (EV) SSL certs
SmartScreen® Filter
Domain Highlighting
XSS Filter/ DEP/NX
ClickJacking Prevention
ActiveX® Controls
User-friendly, discoverable notices
P3P-enabled cookie controls
Delete Browsing History
InPrivate™ Browsing & Filtering
Help Protect Data
RMS
EFS
Policy definition
and enforcement
User-based file and
folder encryption
Helps protect
information wherever it
travels
Ability to store EFS keys
on a smart card
Integrated RMS Client
BitLocker
Easier to configure and
deploy
Roam protected data
between work and home
Share protected data
with co-workers, clients,
partners, etc.
BitLocker
+
Dual partition configuration of primary
hard drive for IT
Extend BitLocker drive encryption to
removable devices
End user friendliness and
discoverability
Create group policies to mandate the
use of encryption and block
unencrypted drives
Corporate control over ubiquitous,
cheap, small, high capacity removable
storage devices
Simplify BitLocker setup and
configuration of primary hard drive
BitLocker
BitLocker Enhancements
Automatic 100 Mb hidden boot partition
New Key Protectors
Domain Recovery Agent (DRA)
Smart card – data volumes only
BitLocker To Go
Support for FAT*
Protectors: DRA, passphrase, smart card and/or auto-unlock
Management: protector configuration, encryption enforcement
Read-only access on Windows Vista & Windows XP
SKU Availability
Encrypting – Enterprise
Unlocking – All
BitLocker
Windows 7 Enterprise Security
Building upon the security foundations of Windows Vista®, Windows® 7 provides IT Professionals
security features that are simple to use, manageable, and valuable.
Fundamentally
Secure Platform
Helping Secure
Anywhere
Access
Protect Users &
Infrastructure
Windows Vista
Foundation
Network Security
AppLockerTM
RMS
Network Access
Protection
Internet Explorer® 8
EFS
Data Recovery
BitLocker ™ &
BitLocker To GoTM
Streamlined User
Account Control
Enhanced Auditing
DirectAccessTM
Help
Protect
Data
Resources
www.microsoft.com/teched
www.microsoft.com/learning
Sessions On-Demand & Community
Microsoft Certification & Training Resources
http://microsoft.com/technet
http://microsoft.com/msdn
Resources for IT Professionals
Resources for Developers
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should
not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.