1 / 49

Next Generation Security

Next Generation Security. Tal Sarid | Principal Consultant | MCS. Today’s Security Challenges Windows Security Next Generation Windows 2012 Security. Agenda. In the news…. Michigan firm about to determine 200,000 account passwords in under an hour

arlene
Download Presentation

Next Generation Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Next Generation Security Tal Sarid | Principal Consultant | MCS

  2. Today’s Security Challenges Windows Security Next Generation Windows 2012 Security Agenda

  3. In the news… • Michigan firm about to determine 200,000 account passwords in under an hour • The most popular passwords among nearly 400,000 exposed by the Gawker hack was "123456“ and “password” according to an analysis done by a Michigan security firm. • itself. Microsoft Work Exposes Magnitude of Botnet Threat Microsoft's Security Intelligence Report sheds light on the expanding threat that bots… Lost Devices Cost Companies Billions Last month, an oil giant announced an unencrypted laptop containing sensitive information on 13,000 individuals. The incident may cost Phone-call security scam targeting PC users Microsoft is warning customers about a new threat where criminals acting as computer security engineers call people at home to warn them about a security threat. Researchers Discover Link Between a Series of Trojans A difficult to remove rootkit behind numerous sophisticated attacks, appears to have helped spread yet another Trojan. Security firm's confidential data is exposed after successful hack A web application security provider has just revealed that a cyber attack appears to have exposed sensitive data about the companies partners and employees, including there login credentials. Representatives form the company haven't respond to emails asking confirmation... The Stealthiest Rootkit in the Wild? Feds launched the raids against individuals who have allegedly been managing the Rustock "botnet," a vast network of computers around the globe, that have been infected with malicious software that allows the devices to distribute enormous volumes of spam... RSA warns customers after company is hacked SecurID tokens from EMC's RSA Security division, which are used for two-factor authentication, have been compromised after a sophisticated cyber-attack…

  4. Challenges

  5. Mobile Workforce Hybrid Cloud Generational What generation are you? Going hybrid… Mobile 2012: IT challenges

  6. Today there are as many devices as humans on the planet! SMART PHONES BROWSERS SLATES LAPTOPS PCs SERVERS In 3 years there will be a ratio of 3:1 for every human!!!

  7. Security “things” to think about… • Encryption • Assurance Level • Policy • Auditing • Identity • Remote Access • Information Protection

  8. SERVERS

  9. PCs

  10. LAPTOPS

  11. SLATES

  12. SMART PHONES

  13. Work-life blur Windows Security Productive From anywhere Information On the go

  14. Windows Security

  15. Virtual Smartcards Trusted Boot Bitlocker Direct Access Secure Remote Access Centralized Management COMPUTE DEVICES

  16. Virtual Smartcards

  17. Emulate the functionality of traditional smart cards Utilizes the Trusted Platform Module (TPM) Multiple smart cards can be associated with a single computer to support multiple users Provide comparable level of security assurance as traditional smart cards Non-exportability Isolated cryptography Anti-hammering Virtual Smart Cards

  18. Trusted & Measured Boot

  19. Trusted Boot: Early Load Anti-Malware Malware is able to boot before OS and Anti-malware • Malware able to hide and remain undetected • Systems can be compromised before AM starts Until now… Windows Secure Boot loads Anti-Malware early in the boot process • Early Load Anti-Malware (ELAM) driver is specially signed by Microsoft • Windows starts AM software before any 3rd party boot drivers • Malware can no longer bypass AM inspection UEFI 2.3.1

  20. Enhanced Measured Boot Windows 7 • Measurements of some boot components evaluated as part of boot • Only enabled when BitLocker has been provisioned Windows • Measures all boot components • Measurements are stored in a Trusted Platform Module (TPM) • Remote attestation, if available, can evaluate client state • Enabled when TPM is present. BitLocker not required

  21. Bitlocker

  22. Bitlocker Windows 8 Improvements • Fast encryption with Used Disk Space Only Encryption • ActiveSync to enforce BitLocker in non domain joined & BYOD Server 2012 Improvements • Storage Area Networks (SAN) Support • Windows Server Cluster Support • Network Unlock • Active Directory Users and Computers UI Enterprise Management with MBAM…

  23. www.microsoft.com/en-us/download/details.aspx?id=24626&hash=wNAzyTY2nXoIrlY%2b3LjX45stIwpLzu%2fntPqr2g5CO4PpkwNm%2bmCwOP6Ta0lfDFIOlHWZVrhU%2bbePlDwrmPHw7A%3d%3dwww.microsoft.com/en-us/download/details.aspx?id=24626&hash=wNAzyTY2nXoIrlY%2b3LjX45stIwpLzu%2fntPqr2g5CO4PpkwNm%2bmCwOP6Ta0lfDFIOlHWZVrhU%2bbePlDwrmPHw7A%3d%3d + www.Microsoft.com/getmbam

  24. Direct Access

  25. What is DirectAccess? Direct Access DirectAccess Client Direct Access Server Corporate Network Windows 2012 Windows 8 DC & DNS(Win 2003+) Internet Management Servers Domain member IPv6 tunneling IPv6 Transition Technologies Group Policy COMPUTE Applications & Data Possible IPsec end-to-end IPsec IPsec – Using computer certificates, domain membership, possibly smartcards and NAP health certificates

  26. Let’s take a look…

  27. Windows 2012 Server Next Generation Security

  28. Security enhancements Dynamic Access Control Certificates Group Policy Virtualization Security Extensible switch Virtual Networks Data classification Auditing Encryption Expression based access PKI management and Lifecycle New Windows settings, features and control

  29. My Top 5 Security Group Policy Settings: Prevent connection to non-domain networks when connected to domain authentication network Advanced Auditing Policy Configuration File Servers – Central Access Policy Log Certificate Expiry events Kerberos Client support for claims

  30. Virtualization

  31. Hyper-V Network Virtualization Server Virtualization • Run multiple virtual serverson a physical server • Each VM has illusion it is running as a physical server Hyper-V Network Virtualization • Run multiple virtual networks on a physical network • Each virtual network has illusion it is running as a physical network Blue Network Red Network Blue VM Red VM Virtualization Physical Server Physical Network

  32. Standards-Based Encapsulation - NVGRE 192.168.2.22 192.168.5.55 GRE Key 5001 MAC 10.0.0.5  10.0.0.7 192.168.2.22 192.168.5.55 192.168.2.22 192.168.5.55 GRE Key 6001 MAC 10.0.0.5  10.0.0.7 Different subnets 10.0.0.5 10.0.0.5 10.0.0.7 10.0.0.7 10.0.0.5 10.0.0.7 10.0.0.5  10.0.0.7 10.0.0.5 10.0.0.7 10.0.0.5 10.0.0.7 http://tools.ietf.org/html/rfc1701 http://www.ietf.org/id/draft-sridharan-virtualization-nvgre-01.txt

  33. Extensible (Layer 2) Switch Capture Extensions WFP Extensions Filtering Extensions Forwarding Extensions Add-VMNetworkAdapterAcl -VMName VM60 -RemoteIPAddress * -Direction BOTH -Action Deny Add-VMNetworkAdapterAcl -VMName VM60 -RemoteIPAddress 192.168.1.20 -Direction BOTH -Action

  34. Cisco Nexus 1000V for Hyper-V

  35. Hyper-V Network Virtualization Ecosystem

  36. Certificates

  37. Health (NAP) Encryption Digital Signature Authentication Wireless Wired DHCP IPSEC Direct Access Remote Desktop Smartcards SSL Client Auth Non Doman joined SCOM Mobile Device Wireless Federations Azure Office 365 SSL LDAP/S S/MIME Encryption EFS IPSEC Routers Digital Signatures Authenticode Applications S/MIME Signature Driver Signing Certificates not a niche service anymore…

  38. Certificate /s store expiry notifications Group protected PFX Shared SSL storage Version 4 templates Non Domain Joined Issuance and renewal! My Top 5 new features in Certificate Services

  39. Dynamic Access Control ( DAC )

  40. DAC Concepts Encryption Expression based access conditions Expression based auditing Data Classification Automatic RMS encryption based on document classification. Flexible access control lists based on document classification and multiple identities (security groups). Centralized access control lists using Central Access Policies. Targeted access auditing based on document classification and user identity. Centralized deployment of audit polices using Global Audit Policies. Classify your documents using resource properties stored in Active Directory. Automatically classify documents based on document content.

  41. Central access policies File Server AD DS User claims User.Department = Finance User.Clearance = High Device claims Device.Department = Finance Device.Managed = True Resource properties Resource.Department = Finance Resource.Impact = High ACCESS POLICY Applies to: @File.Impact = High Allow | Read, Write | if (@User.Department == @File.Department) AND(@Device.Managed == True) 42

  42. Let’s take a look…

  43. http://www.microsoft.com/en-us/download/details.aspx?id=30152http://www.microsoft.com/en-us/download/details.aspx?id=30152

  44. Mobile and Windows Security Virtual Smartcards, Secure Boot, Measured Boot, Bitlocker, Direct Access… Server 2012 Security Network Virtualization, Group Policy, DAC, RMS and ADCS… So…what did we talk about? Next Steps 

  45. Hands on Labs • Windows 2012 Jumpstart: http://technet.microsoft.com/en-us/video/windows-server-2012-jump-start-01-core-hyper-v.aspx • Windows 2012 Virtual Labs: http://technet.microsoft.com/en-us/windowsserver/hh968267.aspx • Private Cloud Jumpstart: http://technet.microsoft.com/en-us/video/private-cloud-jump-start-01-introduction-to-the-microsoft-private-cloud-with-system-center-2012

  46. Going Hybrid Windows Azure Hybrid & Windows 2012 PRIVATECLOUDs VIRTUALIZEDSERVERS COMPUTE DEVICES DEVICES

  47. What Next? Download Windows Server 2012 RTMhttp://technet.microsoft.com/he-IL/evalcenter/hh670538

  48. Next GEN your Security!

  49. Thank you. Tal Sarid | Principal Consultant | MCS talsa@microsoft.com

More Related