1 / 25

Microsoft Windows 7 Security

Microsoft Windows 7 Security. Ronen Gottlib, CISSP Information Security Lead Microsoft. Enhance Security & Control . Protect Data on PCs & Devices. BitLocker To Go™ (Windows 7 Enterprise) protects data on removable drives

fairly
Download Presentation

Microsoft Windows 7 Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Microsoft Windows 7 Security Ronen Gottlib, CISSP Information Security Lead Microsoft

  2. Enhance Security & Control Protect Data on PCs & Devices BitLocker To Go™ (Windows 7 Enterprise) protects data on removable drives BitLocker™ simplifies encryptions and key management for all drives Protect Users & Infrastructure Build on Windows Vista Security Foundation AppLocker™ (Windows 7 Enterprise) controls what applications run Internet Explorer 8 helps keep users safe online User Account Control prompts less Security Development Lifecycle for defense in depth

  3. Data Protection • W7 SOLUTION • SITUATION TODAY • BitLocker To Go™ (Windows 7 Enterprise) • + • Protect data on internal and removable drives • Mandate the use of encryption with Group Policies • Store recovery information in Active Directory for manageability • Simplify BitLocker setup and configuration of primary hard drive • Worldwide Shipments (000s) Gartner “Forecast: USB Flash Drives, Worldwide, 2001-2011” 24 September 2007, Joseph Unsworth   Gartner “Dataquest Insight: PC Forecast Analysis, Worldwide, 1H08” 18 April 2008, Mikako Kitagawa, George Shiffler III 

  4. Application Control W7 SOLUTION SITUATION TODAY • AppLocker™ (Windows 7 Enterprise) • Users can install and run unapproved applications • Even standard users can install some types of software • Unauthorized applications may: • Introduce malware • Increase helpdesk calls • Reduce user productivity • Undermine compliance efforts • Eliminate unwanted/unknown applications in your network • Enforce application standardization within your organization • Easily create and manage flexible rules using Group Policy

  5. Advanced Group Policy Management What it Does Benefits • Versioning, history & rollback of group policy changes • Role-based administration & templates • Flexible delegation model • Enable group policy change management • Provides granular administrative control • Reduce risk of widespread failure • Enhancing group policy through change management

  6. Unprotected network taps within an organization’s buildings Administrators have limited control over the health of systems joining the network Result: hardware/network upgrades and increased operational costs, reduced productivity Network Access Protection Today’s Challenges Solution: end-to-end, authenticated, tamper-resistant communication • Improved isolation using IPSec • Network access protection across IPSec, 802.1X, DHCP, VPN • Increased manageability

  7. Forefront UAG 2010DirectAccess and RDG Idan Plotnik Security Engineer Forefront MVP

  8. Help us to help you to help others …

  9. A word on wording • In Windows 7 / Windows Server 2008 R2, Terminal Service (TS) was renamed to Remote Desktop Services (RDS) • Other terminology changes: • Terminal Services Gateway (TSG)  Remote Desktop Gateway (RDG) • Terminal Services Server  Remote Desktop Session Host • TS Broker  RD Connection Broker

  10. How SSLVPN works … RD/TS is published by tunneling its traffic without IAG or any other SSLVPN being able to control the traffic. RDP HTTPS Tunnel IAG RD/TS Client (MSTSC) RD Session Host (TS Server)

  11. What’s new in UAG In UAG RD/TS client traffic goes over HTTPS. The HTTPS tunnel is terminated at UAG, therefore, we can inspect the traffic. The traffic is then passed to the backend RD Session Host using the RDP protocol. UAG + RDG RDP RDP over HTTPS RD/TS Client (MSTSC) RD Session Host (TS Server)

  12. New functionality • UAG seamlessly integrates Terminal Services / Remote Desktop Gateway (TSG/RDG) to provide application level gateway for RDS applications. • Enables employees to securely access applications that are hosted on Terminal Server or their internal workstation • Benefits: • Enhanced security • Granular policies based on client health: • no anti-virus  no driver sharing • TS RemoteApps are integrated into UAG portal side-by-side with Web applications • Single sign-on experience

  13. DirectAccess • Providing seamless, secure access to enterprise resources from anywhere

  14. Always On • Always connected • No user action required • Adapts to changing networks

  15. Secure • Encrypted by default • 2 Factor AuthN • Strong Authentication! • Computer AuthN • User AuthN • Granular access control • Coexists with existing edge, health, and access policies

  16. Manageable • Reach out to previously untouchable machines • Allows remote clients to process Group Policies • Ongoing updates (AV/WSUS etc …) from the internal infrastructure • NAP integration for health compliance • Consolidate Edge Infrastructure

  17. VPN vs. DirectAccess - Value

  18. Internet DirectAccess Client (Windows 7) Forefront UAG DirectAccess Tunnel over IPv4 UDP, HTTPS, etc. Encrypted IPsec+ESP Native IPv6 6to4 Teredo IP-HTTPS

  19. Enterprise Network Forefront UAG DirectAccess Line of Business Applications No IPsec IPsec Integrity Only (Auth) Windows Server 2003 Windows Server 2008 Non-Windows Server IPsec Integrity + Encryption

  20. 3 Deployment Models

  21. End-to-Edgeencryption Corporate Network Trusted, compliant, healthy machine No overhead of encryption on application servers Edge enforces machine/user authentication and data encryption Least change from existing edge deployments Forefront UAG DirectAccess DC & DNS(Server 2008 SP2/R2) Windows 7 client Applications & Data (non-IPsec enabled) IPsec ESP tunnel encryption using machine cert (DC/DNS access) Internet IPsec ESP tunnel encryption using UserKerb/Health Cert/Smartcard for broad network access Clear Text traffic from client flows through encrypted tunnel to Corporate network resources

  22. End-to-EdgeEncryption + End to End IPsec Corporate Network No overhead of encryption on application servers (just authentication) DirectAccess Edge Encryption combined with End to End IPsec Server and Domain Isolation Trusted, compliant, healthy machine Forefront UAG DirectAccess DC & DNS(Server 2008 SP2/R2) Windows 7 client Applications & Data IPsec-enabled Internet IPsec ESP tunnel encryption using machine cert (DC/DNS access) IPsec ESP tunnel encryption using UserKerb/Health Cert/Smartcard for broad network access IPsec ESP-Null AuthIP Transport Traffic flows through encrypted tunnel to Corporate network resources

  23. End-To-End IPsec Transport Encryption Thin edge solution using IPsec Denial of Service Protection (DoSP) Service only allows IPSec & ICMP traffic Full End to End IPsec Encryption IP-HTTPS tunnel used for proxy scenarios only Corporate Network Forefront UAG DirectAccess Trusted, compliant, healthy machine DC & DNS(Server 2008 SP2/R2) Internet Windows 7 client Applications & Data IPsec-enabled IPsec ESP-encrypted transport to access Corporate network resources

  24. Extends access to LOB servers with IPv4 support Access for down level and non Windows clients Enhances scalability and management Simplifies deployment and administration Hardened Edge Solution MANAGED IPv6 Windows7 IPv6 Always On DirectAccess Windows7 UNMANAGED IPv4 VistaXP Extend support to IPv4 servers SSL VPN Forefront UAG DirectAccess IPv4 Non Windows PDA IPv4 UAG provides access for down level and non Windows clients UAG enhances scale and management with integrated LB and array capabilities. UAG improves adoption and extends access to existing infrastructure UAG uses wizards and tools to simplify deployments and ongoing management. UAG is a hardened edge appliance available in HW and virtual options

  25. DEMO

More Related