1 / 37

Windows Server 2008 { Security Technologies }

Windows Server 2008 { Security Technologies }. Ben Hunter Consultant Microsoft Services. Agenda. Key customer challenges Secure platform Secure Access Control Secure information and regulatory compliance Summary. Windows Server 2008 Customer challenges. Platform Reliability

afi
Download Presentation

Windows Server 2008 { Security Technologies }

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Windows Server 2008{Security Technologies } Ben Hunter Consultant Microsoft Services

  2. Agenda • Key customer challenges • Secure platform • Secure Access Control • Secure information andregulatory compliance • Summary

  3. Windows Server 2008Customer challenges Platform Reliability File system and registry are easy targets for attacks Fewer layers between user and kernel increasesplatform vulnerability Server applications at risk because of a weak platform architecture Unauthorized access Unauthorized users able to access the network Non-compliant devices access and hence corrupt the network Wireless network security is difficult to deploy and manage Data security and compliance Unauthorized use of data, documents and emails Legal and regulatory issues due to loss of sensitive data Competitive disadvantage due to loss of corporateintellectual property

  4. Windows Server 2008Advancements Secure Platform Hardened platform with reduced high risk layers Prevent abnormal activity in the file system and registry Re-architected platform to reduces corruption andcompromise of the system Secure Access Control Enable policy validation, compliance and remediationfor user access Effectively manage and secure mobile users and devices Segregate user access based on identity Secure Information and Regulatory Compliance Reduce risk of data loss by restricting email and documentusage to authorized users Helps network compliance with regulatory and corporate policies Prevent corporate intellectual property from being stolen

  5. Windows Server 2008Security features Secure Platform Windows Service Hardening Windows Firewall with Advanced Security Enhanced and improved TCP/IP Stack Secure Access Control Network Access Protection Server and Domain Isolation Active Directory Federation Services Secure Information and Compliance BitLocker Active Directory Rights Management Service Enhanced auditing infrastructure

  6. Agenda • Key customer challenges • Secure platform • Secure Access Control • Secure information andregulatory compliance • Summary

  7. K K K K U U U U Windows Services Hardening Windows Servicesare profiled Reduce size of highrisk layers Segment the services Increase numberof layers Service … Service 1 Service… Service 2 Service A Service 3 Service B Kernel Drivers User-mode Drivers

  8. Evolution Of Windows Server TCP/IP User Mode Winsock Kernel Mode TDI Clients AFD WSK Clients TDI WSK TDX Next-Generation TCP/IP Stack (tcpip.sys) RAW TCP UDP WindowsFiltering Platform IPv6 IPv4 802.3 802.11 Loop-back IPv4Tunnel IPv6Tunnel Next Generation Networking Highlights New dual-IP layer architecture for native IPv4 and IPv6 support Expanded IPsec integration Improved performance via hardware acceleration New network auto-tuning and optimisation algorithms Increased extensibility and reliability through rich APIs NDIS

  9. Inbound andOutbound Filtering New Management Console Integrated Firewalland IPsec Policies Rule Configurationon Active Directory Groups and Users Support for IPv4 and IPv6 Advanced Rule Options On by Default (Beta 3) New Windows Firewall

  10. Read-Only Domain Controller RODC Main Office Branch Office • Features • Read Only Active Directory Database and GC PAS • Only allowed user passwords are stored on RODC • Unidirectional Replication • Role Separation • Benefits • Increases security for remote Domain Controllers where physical security cannot be guaranteed • Support • ADFS,DNS, DHCP, FRS V1, DFSR (FRS V2), Group Policy, IAS/VPN, DFS, SMS, ADSI queries, MOM

  11. How RODC Works Windows Server 2008 DC Read Only DC 3 4 2 RemoteSite RODC Hub 5 6 1 6 RODC: Looks in DB: "I don't have the users secrets" RODC gives TGT to User and RODC will cache credentials Returns authentication response and TGT back to the RODC Windows Server 2008 DC authenticates request Forwards Request to Windows Server 2008 DC 5 6 4 3 2 1 User logs on and authenticates

  12. {Fine Grained Password Policies} demo Ben Hunter Consultant Microsoft Services

  13. Agenda • Key customer challenges • Secure platform • Secure Access Control • Secure information andregulatory compliance • Summary

  14. Network Access Protection Policy-based solution that Validates whether computers meet health policies Limits access for noncompliant computers Automatically remediatesnoncompliant computers Continuously updates compliant computers to maintain health state Network Access Protection Internet Boundary Zone Employees , Partners, Vendors Intranet Customers Partners Solution Highlights Standards-based Plug and Play Works with most devices Supports multiple antivirus solutions Has become the standard for Network Access Control Remote Employees

  15. Access requested Health state sentto NPS (RADIUS) NPS validates against health policy If compliant, access granted If not compliant,restricted network access and remediation Network Access ProtectionHow it works 1 Policy Serverse.g.., Patch, AV 1 Microsoft NPS 2 3 5 Not policy compliant Remediation Serverse.g., Patch 2 3 RestrictedNetwork Policy compliant 4 DCHP, VPN Switch/Router Corporate Network 4 5

  16. Extending Network Access Protection Vendors and Developers Using published API to extending functionality and create Custom network policy validation Ongoing network policy compliance Network isolation components Heterogeneous operating support (Linux, Macintosh) Ecosystem Partners Networking Anti-Virus Systems Integrators Endpoint Security Update/Management Interoperability Partners Cisco Trusted Computing Group Juniper Networks Broad Industry AdoptionAnd Support More than 120 Partners

  17. {Network Access Protection} demo Ben Hunter Consultant Microsoft Services

  18. Servers with Sensitive Data Server Isolation HR Workstation Managed Computer Domain Isolation Managed Computer Server And Domain Isolation Active Directory Domain Controller Corporate Network Trusted Resource Server X Unmanaged/Rogue Computer X Untrusted Enable tiered-access to sensitive resources Block inbound connections from untrusted Managed computers can communicate Define the logical isolation boundaries Distribute policies and credentials

  19. More Secure AndManageable Wireless LAN Network Policy Server Authentication Server Active Directory Wireless Controller Wireless Clients Wireless Access Points Certificate Authority (Optional) SQL Server (Optional) Efficiently deploy and manage secure 802.11 wireless networking Deploy and maintain leading wireless 802.11 security methods, including smartcards or passwords, with no additional client software Windows Server NPS, AD and optional CA services enable central controlof network authentication and encryption of wireless 802.11 traffic

  20. Agenda • Key customer challenges • Secure platform • Secure Access Control • Secure information andregulatory compliance • Summary

  21. Compliance ChallengesMultiple mandates

  22. Windows Eventing 6.0 • The new auditing subsystem in Windows Vistaand Windows Server 2008 • 95% of Windows Server 2008 feature set exists withinWindows Vista codebase • Includes • Enhanced event explanation text • XML event format • Accessible via WS-Management • Granular Audit Policy (GAP) through subcategories (AuditPol) • Increased scalability • Event Triggering • Enhanced Registry and Directory Service auditing • Event Subscriptions

  23. Windows Server 2003 Security Event Comparison Windows Server 2008

  24. Updated Event Viewer

  25. Granular Audit Policy (GAP) • Broad audit categories result in event overload • The only option in previous versions of Windows • Each category (9 previously) has events broken downto provide selective success/failure • Decreased ratio to ~7 events per subcategory • Not deployable through standard Group Policy UI • Leverage updated AUDITPOL to set and review • List available GAP categories: • auditpol /list /subcategory:* • Get configured policies: • auditpol /get /category:* • KB 921469 has sample instructions on how to deploy in GPtoday for Windows Server 2008 and Vista • Note: Once deployed, audit policy is not often changed

  26. {Auditing } demo Ben Hunter Consultant Microsoft Services

  27. Protecting Information • Rights Management Services (RMS)is a technology in WS08 for protecting documents, data and emails from unauthorized access and use • Document owner can identify authorized users • Protection goes with the file • Both Access and Usage restrictions are enforced • RMS can manage Forwarding, Printing, Copy-and-Paste, Print Screen, Document Expiration • Easy to Use, Integrated with Office • Managed by the Enterprise

  28. Projecting user Identity from a single logon… Providing distributed authentication andclaims-based authorization… Connecting islands (across security,organizational or platform boundaries)… Enabling web single sign-on and simplifiedidentity management Active Directory FederatedServices (ADFS) An authentication method that enables secure, appropriate customer/partner/employee access to web applications outside their domain/forest

  29. Protecting IntellectualCapital: RMS Workflow • Author receives a client licensor certificate the “first time” theyrights-protect information Active Directory SQL Server • Author defines a set of usage rights and rules for their file; Application creates a “Publish License” and encrypts the file Windows Server running RMS 3 • Author distributes file 4 1 • Recipient clicks file to open, theRMS-enabled application callsto the RMS server which validatesthe user and issues a “Use License” 2 5 3 • The RMS-enabled application renders file and enforces rights The Recipient Author using Office

  30. Federated Rights Management Contoso Adatum • Together AD FS andAD RMS enable users from different domainsto securely share documents based on federated identities • AD RMS is fully claims-aware and can interpret AD FS claims • Office SharePoint Server 2007 can be configured to accept federated identity claims AD AD ResourceFederationServer AccountFederationServer Federation Trust RMS WebSSO

  31. Bitlocker – Persistent Protection Protects Data While a System is Offline Ensures Boot Process Integrity Simplifies Equipment Recycling Mitigating Against External Threats Full Volume Encryption – Multiple Drives

  32. Security: Defense In Depth

  33. Summary • Windows Server 2008 introduces a numberof security enhancements and innovations to increase protection of • Servers • Networks • Data • Administrators will have policy-driven mechanisms to better manage and secure network access • Solutions like Network Access Protection (NAP) offer Administrators a wide range of choice and deployment flexibility to better secure their Windows networks

  34. Reminders • Subscribe to our free, online newsletters to stay up to date with Microsoft news, information & events • www.microsoft.co.nz/subscribe • Don’t forget to fill in your Evaluation form! • Hand in at end of day for complimentary software • TechEd 2008: 1-3 September, SkyCity • Mark the dates. Registration opening soon.

  35. © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related