210 likes | 329 Views
{ Security Technologies }. Steve Lamb Technical Security Advisor, Microsoft UK http://blogs.technet.com/steve_lamb Stephen.lamb@microsoft.com. ”Effective Security”. Agenda. Overview of Windows Server 2008 Security Windows Service Hardening Network Access Protection
E N D
{Security Technologies} Steve Lamb Technical Security Advisor, Microsoft UK http://blogs.technet.com/steve_lamb Stephen.lamb@microsoft.com
Agenda • Overview of Windows Server 2008 Security • Windows Service Hardening • Network Access Protection • Read-Only Domain Controllers • AD Rights Management • Auditing • Resources
Windows Server 2008 Security Architecture Network Access Protection Read-Only Domain Controller AD Rights Management Services Auditing
K K K K U U U U Windows Services Hardening Windows Services are profiled Reduce size of high risk layers Segment the services Increase number of layers Service … Service 1 Service… Service 2 Service A Service 3 Service B Kernel Drivers User-mode Drivers
Network Access Protection Internet Boundary Zone Employees , Partners, Vendors Intranet Customers Partners Remote Employees
Network Access ProtectionHow It Works Access requested Health state sent to NPS (RADIUS) NPS validates against health policy If compliant, access granted If not compliant, restricted network access and remediation 1 Policy Serverse.g.., Patch, AV 1 Microsoft NPS 2 3 5 Not policy compliant Remediation Serverse.g., Patch 2 3 RestrictedNetwork Policy compliant 4 DCHP, VPN Switch/Router 5 Corporate Network 4
Read-Only Domain Controller RODC Main Office Branch Office
AD Rights Management • Do NOT Forward • Let’s have a look @ my email
How does RMS work? Active Directory SQL Server Windows Server running RMS 3 4 1 2 5 3 The Recipient Author using Office
Federated Rights Management Contoso Adatum AD AD ResourceFederationServer Federation Trust AccountFederationServer RMS WebSSO
Auditing - Comparison Windows Server 2003 Windows Server 2008
A Quick Review BitLocker
New Windows Firewall • Inbound and Outbound Filtering • New Management MMC • Integrated Firewall and IPsec Policies • Rule Configuration on Active Directory Groups and Users • Support for IPv4 and IPv6 • Advanced Rule Options • On by Default (Beta 3)
Servers with Sensitive Data Server Isolation HR Workstation Managed Computer Domain Isolation Managed Computer Server and Domain Isolation Active Directory Domain Controller Corporate Network Trusted Resource Server X Unmanaged/Rogue Computer X Untrusted Enable tiered-access to sensitive resources Block inbound connections from untrusted Managed computers can communicate Define the logical isolation boundaries Distribute policies and credentials
Crypto Next Generation (CNG) • Native AES 256 in the Kernel • Can plug in new algorithms • FIPS 140-2