Windows server 2008 security and microsoft security
Download
1 / 29

Windows Server 2008 Security and Microsoft Security - PowerPoint PPT Presentation


  • 115 Views
  • Uploaded on

• Windows Server 2008 Security and Microsoft Security. Bruce Lynn Director of Server Business Group UK Microsoft Corporation. Top Security Challenges. Viruses, Spyware and Worms Botnets and Rootkits Phishing and Fraud. Virus & Malware Prevention. Regulatory Compliance

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Windows Server 2008 Security and Microsoft Security' - torin


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Windows server 2008 security and microsoft security

• Windows Server 2008 Security and Microsoft Security

Bruce Lynn

Director of Server Business Group UK

Microsoft Corporation


Top security challenges
Top Security Challenges

Viruses, Spyware and Worms

Botnets and Rootkits

Phishing and Fraud

Virus & Malware

Prevention

Regulatory Compliance

Develop and Implement of Security Policies

Reporting and Accountability

Business

Practices

Identity Management and Access Control

Managing Access in the Extended Enterprise

Security Risk of Unmanaged PCs

Implementing

Defense in Depth

Deploying Security Updates

System Identification and Configuration

Security Policy Enforcement

Security

Management


Security dimensions
Security Dimensions

Trustworthy Computing

SDL

Secure by Default

Secure Software

System architectures (file systems, core services)

Bitlocker, RODC, Address Space Load Randomization, PKI, Network Access Protection

Reduced Attack Surface (Server Core)

Secure Platform

Forefront Security family

Identity Lifecycle Management

OneCare, Windows Live Safety Center,

Security Solutions

System Center family, Windows Update Service

Group Policy, Active Directory

Security Bulletins, ‘Patch Tuesdays’, Health Checks

Security

Management



Attacks are moving to application layer

~90% are exploitable remotely

~60% are in web applications

Attacks Are Moving To Application Layer

2004

2005

2006

2004

2005

2006

Operating Systems

Applications

Source: Microsoft Security Intelligence Report 2007

Sources: IBM X-Force, Symantec 2007 Security Reports


Trustworthy Computing

SQL Server 2005

Visual Studio 2005

Windows Server 2003 SP1

Malicious SW Removal Tool

Windows Defender

Windows Live OneCare

TWC Announced

SDL begins

Windows XP SP2

DSI Launched

Windows Vista

Office 2007

Forefront

Windows Server 2008

SQL Server 2008

Windows Server 2003

2002

2003

2004

2005

2006

2007

2008



Making sdl available to developers
Making SDL Available To Developers

Education

Developer security center on MSDN

Security “How to” videos on MSDN/channel 9

SDL Process

  • SDL website on Microsoft.com

    • Detailed SDL process guidance

    • Microsoft Privacy guidelines

  • SDL book published in 2006 (Lipner and Howard)

Security Tools

  • Integrated security tools in Visual Studio

    • Secure compiler and linker flags

    • Static code analysis (FxCop,/analyze)

    • Removal of insecure APIs

  • Threat modeling tools


Windows server 2008 security hardens operating system and increases environment protection
Windows Server 2008 SecurityHardens Operating System and Increases Environment Protection

Read-Only Domain Controller

Security

Network Access Protection

Federated Rights Management


Server protection features
Server Protection Features

Compliance

Security

  • Improved auditing

  • Network Access Protection

  • Event Forwarding

  • Policy Based Networking

  • Server and Domain Isolation

  • Removable Device Installation Control

  • Active Directory Rights Management Services

  • Development Process

  • Secure Startup and shield up at install

  • Code integrity

  • Windows service hardening

  • Inbound and outbound firewall

  • Restart Manager

  • Address Space Load Randomisation


Windows server 2008 hardening
Windows Server 2008 Hardening

Security

Windows Vista/Server 2008

Windows® XP SP2/Server 2003 R2

LocalSystem

Firewall Restricted

LocalSystem

LocalSystem

Network Service

Network Service

Fully Restricted

Local Service

Network Service

Network Restricted

Local Service

No Network Access

Local Service

Fully Restricted


Bitlocker drive encryption
BitLocker™ Drive Encryption

Security

Full Volume Encryption Key (FVEK)

Encryption Policy

  • Group Policy allows central encryption policy and provides Branch Office protection

  • Provides data protection, even when the system is in unauthorized hands or is running a different or exploiting Operating System

  • Uses a v1.2 TPM or USB flash drive for key storage


Network access protection

Remediation

Servers

Example: Patch

Restricted

Network

Corporate Network

Network Access Protection

Security

Policy Servers

such as: Patch, AV

What is Network Access Protection?

Health Policy Compliance

Health Policy Validation

Not policy compliant

DHCP, VPN

Switch/Router

Windows

Client

NPS

Policy compliant

Ability to Provide Limited Access

Enhanced Security

Cisco and Microsoft Integration Story

Increased Business Value


Using network access protection

Remediation

Servers

Example: Patch

Restricted

Network

Corporate Network

Using Network Access Protection

Security

Policy Servers

such as: Patch, AV

3

1

2

Not policy compliant

4

DHCP, VPN

Switch/Router

Windows

Client

NPS

Policy compliant

5

If not policy compliant, client is put in a restricted VLAN and given access to fix up resources to download patches, configurations, signatures (Repeat 1 - 4)

Network Policy Server (NPS) validates against IT-defined health policy

Client requests access to network and presents current health state

DHCP, VPN or Switch/Router relays health status to Microsoft Network Policy Server (RADIUS)

If policy compliant, client is granted full access to corporate network

4

3

2

5

1


AD Rights Management Services

Security

  • AD RMS protects access to an organization’s digital files

  • AD RMS in Windows Server 2008 includes several new features

  • Improved installation and administration experience

  • Self-enrollment of the AD RMS cluster

  • Integration with AD Federation Services

  • New AD RMS administrative roles

RMS Server

AD

SQL

Information Author

The Recipient


Active Directory Federation Services

Security

Contoso

Adatum

  • AD FS provides an identity access solution

  • Deploy federation servers in multiple organizations to facilitate business-to-business (B2B) transactions

  • AD FS provides a Web-based, SSO solution

  • AD FS interoperates with other security products that support the Web Services Architecture

  • AD FS improved in Windows Server 2008

AD

AD

ResourceFederationServer

Federation Trust

AccountFederationServer

WebServer


Federated Rights Management

Security

Contoso

Adatum

  • Together AD FS and AD RMS enable users from different domains to securely share documents based on federated identities

  • AD RMS is fully claims-aware and can interpret AD FS claims

  • Office SharePoint Server 2007 can be configured to accept federated identity claims

AD

AD

ResourceFederationServer

Federation Trust

AccountFederationServer

RMS

WebSSO


Read only domain controller
Read-Only Domain Controller

Security

RODC

Main Office

Branch Office

  • Features

    • Read Only Active Directory Database

    • Only allowed user passwords are stored on RODC

    • Unidirectional Replication

    • Role Separation

  • Benefits

    • Increases security for remote Domain Controllers where physical security cannot be guaranteed

  • Support

    • ADFS,DNS, DHCP, FRS V1, DFSR (FRS V2), Group Policy, IAS/VPN, DFS, SMS, ADSI queries, MOM


How rodc works
How RODC Works

Security

Windows Server 2008 DC

Read Only DC

3

4

2

RODC

Branch

Hub

5

6

1

6

RODC: Looks in DB: "I don't have the users secrets"

RODC gives TGT to User and RODC will cache credentials

Returns authentication response and TGT back to the RODC

Windows Server 2008 DC authenticates request

Forwards Request to Windows Server 2008 DC

6

5

4

3

2

1

User logs on and authenticates


Read only dc mitigates stolen dc
Read-only DC Mitigates “Stolen DC”

Security

Hub Admin Perspective

Attacker Perspective


Cryptography Next Generation

Security

Cryptography Next Generation (CNG)

  • Includes algorithms for encryption, digital signatures, key exchange, and hashing

  • Supports cryptography in kernel mode

  • Supports the current set of CryptoAPI 1.0 algorithms

  • Support for elliptic curve cryptography (ECC) algorithms

  • Perform basic cryptographic operations, such as creating hashes and encrypting and decrypting data



Microsoft security defense in depth

Services

Encrypting File System (EFS)

Forefront Stirling Management

BitLocker™

Information Protection

Identity & AccessManagement

SystemsManagement

Microsoft Security: Defense In Depth

Edge

Edge

Server Applications

Server Applications

Network Access Protection (NAP)

Client and Server OS

Client and Server OS

Certificate Lifecycle Management

Active Directory Federation Services (ADFS)

Mobile Device

Manager 2008

TWC

Data Protection Manager

Configuration Manager 2007

SDL

Operations Manager 2007


What is microsoft forefront
What is Microsoft Forefront?

Microsoft Forefront is a comprehensive line of business security products providing greater protection and control through integration with your existing IT infrastructure and through simplified deployment, management, and analysis.

Edge

Client and Server OS

Server Applications


End to end protection
End-to-End Protection

IM and Documents

IM and Documents

Live Communication Server

SharePoint Server

Live Communication Server (access proxy)

Viruses, Worms, Attacks

ISA Server 2006

Management station

ISA Server 2006

E-mail

E-mail

Exchange

Edge Gateway

Exchange Hub Transport

ExchangeMailbox server

ISA Server

Firewall on network edge blocks application layer attacks

Pre-authenticate users for network access

Isolate and protect network segments

Secure Exchange/OWA publishing

SMTP protocol scanning

Forefront for Server

AV helps block viruses and inappropriate content inbound

AS helps keep viruses off internal servers

Content and file filtering helps prevent confidential information from being sent out


Current anti malware offerings
Current anti-malware offerings

For Individual Users

For Businesses

Microsoft

Forefront Client

Security

Windows Defender

Windows Live Safety Center

Windows Live OneCare

MSRT

Remove most prevalent viruses

Remove all known viruses

Real-time antivirus

Remove all known spyware

Real-time antispyware

Central reporting and alerting

Customization

IT infrastructure integration


Security

Management


Core infrastructure optimization model leverage io to understand your security infrastructure
Core Infrastructure Optimization ModelLeverage IO to understand your security infrastructure

Basic

Standardized

Rationalized

Dynamic

Federated Identity Management across org. and platform boundaries

Identity and Access Management

No common identity management model

Desktop, Device and Server Management

No desktop or server standards, many images, no management standards

Automated IT management, dynamic resource usage

No networks and security standards

Automated security and network management

Security and Networking

Data Protection and Recovery

End to end data protection and disaster recovery

Adhoc protection of key data

Proactive, Optimize cost & quality, End-to-End service & policy management

IT and Security Process

Adhoc, reactive


© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.


ad