370 likes | 561 Views
Windows Server 2008 { Security Technologies }. Ben Hunter Consultant Microsoft Services. Agenda. Key customer challenges Secure platform Secure Access Control Secure information and regulatory compliance Summary. Windows Server 2008 Customer challenges. Platform Reliability
E N D
Windows Server 2008{Security Technologies } Ben Hunter Consultant Microsoft Services
Agenda • Key customer challenges • Secure platform • Secure Access Control • Secure information andregulatory compliance • Summary
Windows Server 2008Customer challenges Platform Reliability File system and registry are easy targets for attacks Fewer layers between user and kernel increasesplatform vulnerability Server applications at risk because of a weak platform architecture Unauthorized access Unauthorized users able to access the network Non-compliant devices access and hence corrupt the network Wireless network security is difficult to deploy and manage Data security and compliance Unauthorized use of data, documents and emails Legal and regulatory issues due to loss of sensitive data Competitive disadvantage due to loss of corporateintellectual property
Windows Server 2008Advancements Secure Platform Hardened platform with reduced high risk layers Prevent abnormal activity in the file system and registry Re-architected platform to reduces corruption andcompromise of the system Secure Access Control Enable policy validation, compliance and remediationfor user access Effectively manage and secure mobile users and devices Segregate user access based on identity Secure Information and Regulatory Compliance Reduce risk of data loss by restricting email and documentusage to authorized users Helps network compliance with regulatory and corporate policies Prevent corporate intellectual property from being stolen
Windows Server 2008Security features Secure Platform Windows Service Hardening Windows Firewall with Advanced Security Enhanced and improved TCP/IP Stack Secure Access Control Network Access Protection Server and Domain Isolation Active Directory Federation Services Secure Information and Compliance BitLocker Active Directory Rights Management Service Enhanced auditing infrastructure
Agenda • Key customer challenges • Secure platform • Secure Access Control • Secure information andregulatory compliance • Summary
K K K K U U U U Windows Services Hardening Windows Servicesare profiled Reduce size of highrisk layers Segment the services Increase numberof layers Service … Service 1 Service… Service 2 Service A Service 3 Service B Kernel Drivers User-mode Drivers
Evolution Of Windows Server TCP/IP User Mode Winsock Kernel Mode TDI Clients AFD WSK Clients TDI WSK TDX Next-Generation TCP/IP Stack (tcpip.sys) RAW TCP UDP WindowsFiltering Platform IPv6 IPv4 802.3 802.11 Loop-back IPv4Tunnel IPv6Tunnel Next Generation Networking Highlights New dual-IP layer architecture for native IPv4 and IPv6 support Expanded IPsec integration Improved performance via hardware acceleration New network auto-tuning and optimisation algorithms Increased extensibility and reliability through rich APIs NDIS
Inbound andOutbound Filtering New Management Console Integrated Firewalland IPsec Policies Rule Configurationon Active Directory Groups and Users Support for IPv4 and IPv6 Advanced Rule Options On by Default (Beta 3) New Windows Firewall
Read-Only Domain Controller RODC Main Office Branch Office • Features • Read Only Active Directory Database and GC PAS • Only allowed user passwords are stored on RODC • Unidirectional Replication • Role Separation • Benefits • Increases security for remote Domain Controllers where physical security cannot be guaranteed • Support • ADFS,DNS, DHCP, FRS V1, DFSR (FRS V2), Group Policy, IAS/VPN, DFS, SMS, ADSI queries, MOM
How RODC Works Windows Server 2008 DC Read Only DC 3 4 2 RemoteSite RODC Hub 5 6 1 6 RODC: Looks in DB: "I don't have the users secrets" RODC gives TGT to User and RODC will cache credentials Returns authentication response and TGT back to the RODC Windows Server 2008 DC authenticates request Forwards Request to Windows Server 2008 DC 5 6 4 3 2 1 User logs on and authenticates
{Fine Grained Password Policies} demo Ben Hunter Consultant Microsoft Services
Agenda • Key customer challenges • Secure platform • Secure Access Control • Secure information andregulatory compliance • Summary
Network Access Protection Policy-based solution that Validates whether computers meet health policies Limits access for noncompliant computers Automatically remediatesnoncompliant computers Continuously updates compliant computers to maintain health state Network Access Protection Internet Boundary Zone Employees , Partners, Vendors Intranet Customers Partners Solution Highlights Standards-based Plug and Play Works with most devices Supports multiple antivirus solutions Has become the standard for Network Access Control Remote Employees
Access requested Health state sentto NPS (RADIUS) NPS validates against health policy If compliant, access granted If not compliant,restricted network access and remediation Network Access ProtectionHow it works 1 Policy Serverse.g.., Patch, AV 1 Microsoft NPS 2 3 5 Not policy compliant Remediation Serverse.g., Patch 2 3 RestrictedNetwork Policy compliant 4 DCHP, VPN Switch/Router Corporate Network 4 5
Extending Network Access Protection Vendors and Developers Using published API to extending functionality and create Custom network policy validation Ongoing network policy compliance Network isolation components Heterogeneous operating support (Linux, Macintosh) Ecosystem Partners Networking Anti-Virus Systems Integrators Endpoint Security Update/Management Interoperability Partners Cisco Trusted Computing Group Juniper Networks Broad Industry AdoptionAnd Support More than 120 Partners
{Network Access Protection} demo Ben Hunter Consultant Microsoft Services
Servers with Sensitive Data Server Isolation HR Workstation Managed Computer Domain Isolation Managed Computer Server And Domain Isolation Active Directory Domain Controller Corporate Network Trusted Resource Server X Unmanaged/Rogue Computer X Untrusted Enable tiered-access to sensitive resources Block inbound connections from untrusted Managed computers can communicate Define the logical isolation boundaries Distribute policies and credentials
More Secure AndManageable Wireless LAN Network Policy Server Authentication Server Active Directory Wireless Controller Wireless Clients Wireless Access Points Certificate Authority (Optional) SQL Server (Optional) Efficiently deploy and manage secure 802.11 wireless networking Deploy and maintain leading wireless 802.11 security methods, including smartcards or passwords, with no additional client software Windows Server NPS, AD and optional CA services enable central controlof network authentication and encryption of wireless 802.11 traffic
Agenda • Key customer challenges • Secure platform • Secure Access Control • Secure information andregulatory compliance • Summary
Windows Eventing 6.0 • The new auditing subsystem in Windows Vistaand Windows Server 2008 • 95% of Windows Server 2008 feature set exists withinWindows Vista codebase • Includes • Enhanced event explanation text • XML event format • Accessible via WS-Management • Granular Audit Policy (GAP) through subcategories (AuditPol) • Increased scalability • Event Triggering • Enhanced Registry and Directory Service auditing • Event Subscriptions
Windows Server 2003 Security Event Comparison Windows Server 2008
Granular Audit Policy (GAP) • Broad audit categories result in event overload • The only option in previous versions of Windows • Each category (9 previously) has events broken downto provide selective success/failure • Decreased ratio to ~7 events per subcategory • Not deployable through standard Group Policy UI • Leverage updated AUDITPOL to set and review • List available GAP categories: • auditpol /list /subcategory:* • Get configured policies: • auditpol /get /category:* • KB 921469 has sample instructions on how to deploy in GPtoday for Windows Server 2008 and Vista • Note: Once deployed, audit policy is not often changed
{Auditing } demo Ben Hunter Consultant Microsoft Services
Protecting Information • Rights Management Services (RMS)is a technology in WS08 for protecting documents, data and emails from unauthorized access and use • Document owner can identify authorized users • Protection goes with the file • Both Access and Usage restrictions are enforced • RMS can manage Forwarding, Printing, Copy-and-Paste, Print Screen, Document Expiration • Easy to Use, Integrated with Office • Managed by the Enterprise
Projecting user Identity from a single logon… Providing distributed authentication andclaims-based authorization… Connecting islands (across security,organizational or platform boundaries)… Enabling web single sign-on and simplifiedidentity management Active Directory FederatedServices (ADFS) An authentication method that enables secure, appropriate customer/partner/employee access to web applications outside their domain/forest
Protecting IntellectualCapital: RMS Workflow • Author receives a client licensor certificate the “first time” theyrights-protect information Active Directory SQL Server • Author defines a set of usage rights and rules for their file; Application creates a “Publish License” and encrypts the file Windows Server running RMS 3 • Author distributes file 4 1 • Recipient clicks file to open, theRMS-enabled application callsto the RMS server which validatesthe user and issues a “Use License” 2 5 3 • The RMS-enabled application renders file and enforces rights The Recipient Author using Office
Federated Rights Management Contoso Adatum • Together AD FS andAD RMS enable users from different domainsto securely share documents based on federated identities • AD RMS is fully claims-aware and can interpret AD FS claims • Office SharePoint Server 2007 can be configured to accept federated identity claims AD AD ResourceFederationServer AccountFederationServer Federation Trust RMS WebSSO
Bitlocker – Persistent Protection Protects Data While a System is Offline Ensures Boot Process Integrity Simplifies Equipment Recycling Mitigating Against External Threats Full Volume Encryption – Multiple Drives
Summary • Windows Server 2008 introduces a numberof security enhancements and innovations to increase protection of • Servers • Networks • Data • Administrators will have policy-driven mechanisms to better manage and secure network access • Solutions like Network Access Protection (NAP) offer Administrators a wide range of choice and deployment flexibility to better secure their Windows networks
Reminders • Subscribe to our free, online newsletters to stay up to date with Microsoft news, information & events • www.microsoft.co.nz/subscribe • Don’t forget to fill in your Evaluation form! • Hand in at end of day for complimentary software • TechEd 2008: 1-3 September, SkyCity • Mark the dates. Registration opening soon.
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.