250 likes | 540 Views
Microsoft Windows 7 Security. Ronen Gottlib, CISSP Information Security Lead Microsoft. Enhance Security & Control . Protect Data on PCs & Devices. BitLocker To Go™ (Windows 7 Enterprise) protects data on removable drives
E N D
Microsoft Windows 7 Security Ronen Gottlib, CISSP Information Security Lead Microsoft
Enhance Security & Control Protect Data on PCs & Devices BitLocker To Go™ (Windows 7 Enterprise) protects data on removable drives BitLocker™ simplifies encryptions and key management for all drives Protect Users & Infrastructure Build on Windows Vista Security Foundation AppLocker™ (Windows 7 Enterprise) controls what applications run Internet Explorer 8 helps keep users safe online User Account Control prompts less Security Development Lifecycle for defense in depth
Data Protection • W7 SOLUTION • SITUATION TODAY • BitLocker To Go™ (Windows 7 Enterprise) • + • Protect data on internal and removable drives • Mandate the use of encryption with Group Policies • Store recovery information in Active Directory for manageability • Simplify BitLocker setup and configuration of primary hard drive • Worldwide Shipments (000s) Gartner “Forecast: USB Flash Drives, Worldwide, 2001-2011” 24 September 2007, Joseph Unsworth Gartner “Dataquest Insight: PC Forecast Analysis, Worldwide, 1H08” 18 April 2008, Mikako Kitagawa, George Shiffler III
Application Control W7 SOLUTION SITUATION TODAY • AppLocker™ (Windows 7 Enterprise) • Users can install and run unapproved applications • Even standard users can install some types of software • Unauthorized applications may: • Introduce malware • Increase helpdesk calls • Reduce user productivity • Undermine compliance efforts • Eliminate unwanted/unknown applications in your network • Enforce application standardization within your organization • Easily create and manage flexible rules using Group Policy
Advanced Group Policy Management What it Does Benefits • Versioning, history & rollback of group policy changes • Role-based administration & templates • Flexible delegation model • Enable group policy change management • Provides granular administrative control • Reduce risk of widespread failure • Enhancing group policy through change management
Unprotected network taps within an organization’s buildings Administrators have limited control over the health of systems joining the network Result: hardware/network upgrades and increased operational costs, reduced productivity Network Access Protection Today’s Challenges Solution: end-to-end, authenticated, tamper-resistant communication • Improved isolation using IPSec • Network access protection across IPSec, 802.1X, DHCP, VPN • Increased manageability
Forefront UAG 2010DirectAccess and RDG Idan Plotnik Security Engineer Forefront MVP
A word on wording • In Windows 7 / Windows Server 2008 R2, Terminal Service (TS) was renamed to Remote Desktop Services (RDS) • Other terminology changes: • Terminal Services Gateway (TSG) Remote Desktop Gateway (RDG) • Terminal Services Server Remote Desktop Session Host • TS Broker RD Connection Broker
How SSLVPN works … RD/TS is published by tunneling its traffic without IAG or any other SSLVPN being able to control the traffic. RDP HTTPS Tunnel IAG RD/TS Client (MSTSC) RD Session Host (TS Server)
What’s new in UAG In UAG RD/TS client traffic goes over HTTPS. The HTTPS tunnel is terminated at UAG, therefore, we can inspect the traffic. The traffic is then passed to the backend RD Session Host using the RDP protocol. UAG + RDG RDP RDP over HTTPS RD/TS Client (MSTSC) RD Session Host (TS Server)
New functionality • UAG seamlessly integrates Terminal Services / Remote Desktop Gateway (TSG/RDG) to provide application level gateway for RDS applications. • Enables employees to securely access applications that are hosted on Terminal Server or their internal workstation • Benefits: • Enhanced security • Granular policies based on client health: • no anti-virus no driver sharing • TS RemoteApps are integrated into UAG portal side-by-side with Web applications • Single sign-on experience
DirectAccess • Providing seamless, secure access to enterprise resources from anywhere
Always On • Always connected • No user action required • Adapts to changing networks
Secure • Encrypted by default • 2 Factor AuthN • Strong Authentication! • Computer AuthN • User AuthN • Granular access control • Coexists with existing edge, health, and access policies
Manageable • Reach out to previously untouchable machines • Allows remote clients to process Group Policies • Ongoing updates (AV/WSUS etc …) from the internal infrastructure • NAP integration for health compliance • Consolidate Edge Infrastructure
Internet DirectAccess Client (Windows 7) Forefront UAG DirectAccess Tunnel over IPv4 UDP, HTTPS, etc. Encrypted IPsec+ESP Native IPv6 6to4 Teredo IP-HTTPS
Enterprise Network Forefront UAG DirectAccess Line of Business Applications No IPsec IPsec Integrity Only (Auth) Windows Server 2003 Windows Server 2008 Non-Windows Server IPsec Integrity + Encryption
End-to-Edgeencryption Corporate Network Trusted, compliant, healthy machine No overhead of encryption on application servers Edge enforces machine/user authentication and data encryption Least change from existing edge deployments Forefront UAG DirectAccess DC & DNS(Server 2008 SP2/R2) Windows 7 client Applications & Data (non-IPsec enabled) IPsec ESP tunnel encryption using machine cert (DC/DNS access) Internet IPsec ESP tunnel encryption using UserKerb/Health Cert/Smartcard for broad network access Clear Text traffic from client flows through encrypted tunnel to Corporate network resources
End-to-EdgeEncryption + End to End IPsec Corporate Network No overhead of encryption on application servers (just authentication) DirectAccess Edge Encryption combined with End to End IPsec Server and Domain Isolation Trusted, compliant, healthy machine Forefront UAG DirectAccess DC & DNS(Server 2008 SP2/R2) Windows 7 client Applications & Data IPsec-enabled Internet IPsec ESP tunnel encryption using machine cert (DC/DNS access) IPsec ESP tunnel encryption using UserKerb/Health Cert/Smartcard for broad network access IPsec ESP-Null AuthIP Transport Traffic flows through encrypted tunnel to Corporate network resources
End-To-End IPsec Transport Encryption Thin edge solution using IPsec Denial of Service Protection (DoSP) Service only allows IPSec & ICMP traffic Full End to End IPsec Encryption IP-HTTPS tunnel used for proxy scenarios only Corporate Network Forefront UAG DirectAccess Trusted, compliant, healthy machine DC & DNS(Server 2008 SP2/R2) Internet Windows 7 client Applications & Data IPsec-enabled IPsec ESP-encrypted transport to access Corporate network resources
Extends access to LOB servers with IPv4 support Access for down level and non Windows clients Enhances scalability and management Simplifies deployment and administration Hardened Edge Solution MANAGED IPv6 Windows7 IPv6 Always On DirectAccess Windows7 UNMANAGED IPv4 VistaXP Extend support to IPv4 servers SSL VPN Forefront UAG DirectAccess IPv4 Non Windows PDA IPv4 UAG provides access for down level and non Windows clients UAG enhances scale and management with integrated LB and array capabilities. UAG improves adoption and extends access to existing infrastructure UAG uses wizards and tools to simplify deployments and ongoing management. UAG is a hardened edge appliance available in HW and virtual options