Post on 24-Dec-2015
Security and Compliance
Bruce CowperSenior Program Manager; Security InitiativeMicrosoft Canada
Rodney BuikeIT Pro AdvisorMicrosoft Canada
Enabling Security and Compliance
Enabling Security and Compliance
Fundamentals
Improved Security Development Lifecycle (SDL) process for Windows Vista
Periodic mandatory security trainingAssignment of security advisors for all components Threat modeling as part of design phaseSecurity reviews and testing built into the scheduleSecurity metrics for product teams
Common Criteria (CC) Certification
Service Hardening
Windows Service HardeningDefense in depth
Services run with reduced privilege compared to Windows XP
Windows services are profiled for allowed actions to the network, file system, and registry
Designed to block attempts by malicious software to make a Windows service write to an area of the network, file system, or registry that isn’t part of that service’s profile
Activeprotection
File system
Registry
Network
Enabling Security and Compliance
Social Engineering Protections
Phishing Filter and Colored Address BarDangerous Settings NotificationSecure defaults for IDN
Protection from ExploitsUnified URL ParsingCode quality improvements (SDLC)ActiveX Opt-inProtected Mode to prevent malicious software
Internet Explorer 7
Advanced Malware Protection
Exploit can install malware
Exploit can install malware
IE6
Install a driver and run Windows Update
Change settings, download a picture
Cache Web content
HKLM
Program Files
Admin-Rights Access
User-Rights Access
HKCU
My Documents
Startup Folder
Temp Internet Files
Un-trusted files and settings
Internet
Explorer
Co
mp
act
Red
irec
tor
Redirected settings & files
Install an ActiveX control
Change settings, save a picture
IEA
dm
inIE
Use
r
Inte
gri
ty C
on
tro
l
Phishing FilterDynamic Protection Against Fraudulent Websites
3 “checks” to protect users from phishing scams:
1.Compares web site with local list of known legitimate sites
2.Scans the web site for characteristics common to phishing sites
3.Double checks site with online Microsoft service of reported phishing sites updated several times every hour
Level 1: Warn Suspicious Website
Signaled
Level 2: Block Confirmed Phishing Site
Signaled and Blocked
Two Levels of Warning and Protection Two Levels of Warning and Protection in IE7 Security Status Barin IE7 Security Status Bar
ActiveX Opt-in
IE7
Disabled Controls by default
IE7 blocks ActiveX Control
User grants permission (opts-in)
IE7 confirms install
ActiveX Control enabled
Windows Defender
Improved Detection and Removal
Redesigned and Simplified User Interface
Protection for all users
Windows Vista FirewallCombined firewall and IPsec management
New management tools – Windows Firewall with Advanced Security MMC snap-in Reduces conflicts and coordination overhead between technologies
Firewall rules become more intelligent
Specify security requirements such as authentication and encryptionSpecify Active Directory computer or user groups
Outbound filteringEnterprise management feature – not for consumers
Simplified protection policy reduces management overhead
Network Access ProtectionNetwork Access Protection
11
RestrictedRestrictedNetworkNetworkMSFTMSFT
NetworkNetworkPolicy Server Policy Server
33
Policy ServersPolicy Serverse.g. MSFT Security e.g. MSFT Security
Center, SMS, AntigenCenter, SMS, Antigenor 3or 3rd rd party party
Policy Policy compliantcompliantDHCP, VPNDHCP, VPN
Switch/Router Switch/Router
22
WindowsWindowsVista ClientVista Client
Fix UpFix UpServersServers
e.g. MSFT WSUS, e.g. MSFT WSUS, SMS & 3SMS & 3rdrd party party
Corporate NetworkCorporate Network55
Not policy Not policy compliantcompliant 44
Enhanced Security
All communications are authenticated, authorized & healthyAll communications are authenticated, authorized & healthy
Defense-in-depth on your terms with DHCP, VPN, IPsec, 802.1XDefense-in-depth on your terms with DHCP, VPN, IPsec, 802.1X
Policy-based access that IT Pros can set and controlPolicy-based access that IT Pros can set and control
Enabling Security and Compliance
Information Leakage Is Top-of-mind With Business Decision Makers
“After virus infections, businesses report unintended forwarding of e-mails and loss of mobile devices more frequently than they do any other security breach”
Jupiter Research Report, 2004
0% 10% 20% 30% 40% 50% 60% 70%
Loss of digital assets, restored
Email piracy
Password compromise
Loss of mobile devices
Unintended forwarding of emails
20%
22%
22%
35%
36%
63%Virus infection
BitLocker™ Drive Encryption
Designed specifically to prevent a thief who boots another Operating System or runs a hacking tool from breaking Windows file and system protections
Provides data protection on your Windows client systems, even when the system is in unauthorized hands or is running a different or exploiting Operating Ssystem
Uses a v1.2 TPM or USB flash drive for key storage
BitLockerBitLocker
BitLocker Drive Encryption
•Improved at-rest data protection with full drive encryption
•Usability with scalable security protections
•Enterprise-ready deployment capabilities
•Offline system-tampering resistance
•Worry-free hardware repurposing and decommissioning
•Integrated disaster recovery features
Trusted Platform Module
Encrypted Data
Encrypted Volume Key
Encrypted Full Volume Encryption
Key
TPM Volume Master Key
Full Volume Encryption Key
Cleartext Data
Security
Eas
e of
Us e
TPM Only“What it is.”
Protects against: SW-only attacks
Vulnerable to: HW attacks (including potentially “easy”
HW attacks)
TPM + PIN“What you know.”Protects against: Many HW attacks
Vulnerable to: TPM breaking attacks
Dongle Only“What you have.” Protects against: All HW attacksVulnerable to: Losing donglePre-OS attacks
TPM + Dongle“Two what I
have’s.”Protects against: Many HW attacksVulnerable to: HW
attacks
BDE offers a spectrum of protection allowing customers to balance ease-of-use
against the threats they are most concerned with.
Spectrum Of Protection
**************
Windows Vista Data Protection
Policy Definition and Enforcement
Rights Management Services
User-Based File System Encryption
Encrypted File System
Drive-Level Encryption
BitLocker Drive Encryption
Recovery Options
BitLocker™ setup will automatically escrow keys and passwords into AD
Centralized storage/management keys (EA SKU)
Setup may also try (based on policy) to backup keys and passwords onto a USB dongle or to a file location
Default for non-domain-joined users
Exploring options for web service-based key escrow
Recovery password known by the user/administrator
Recovery can occur “in the field”
Windows operation can continue as normal
Improve Wireless SecurityImprove Wireless SecurityLowers RiskLowers Risk
IEEE 802.11i replaces previous, less secure IEEE 802.11i replaces previous, less secure encryption schemes and interim security encryption schemes and interim security standardsstandards
Supports IEEE 802.11iSupports IEEE 802.11i
Superior encryption Superior encryption with Advanced with Advanced Encryption Standard Encryption Standard (AES)(AES)
Fast roaming with Fast roaming with cached credentialscached credentials
Faster re-connect to Faster re-connect to commonly used commonly used networksnetworks
XPS Document FormatXPS Document Format
Create using Microsoft Office applicationsCreate using Microsoft Office applications
Support digital signaturesSupport digital signatures
Support digital rights managementSupport digital rights management
Format based on XMLFormat based on XML
Features Overview
Format unpaginated content for readingFormat unpaginated content for reading
Distribute application-agnostic documentsDistribute application-agnostic documents
Leverage for service-oriented applicationsLeverage for service-oriented applications
Benefits Overview
New secure XML-based document specification
Enabling Security and Compliance
ChallengesUsers running as admin = unmanaged desktopsLine of Business (LoB) applications require elevated privileges to runCommon Operating System Configuration tasks require elevated privilege
Goal: Allow businesses to move to a better-managed desktop and consumers to use parental controls
Make the system work well for standard usersAllow standard users to change time zone and power management settings, add printers, and connect to secure wireless networksHigh application compatibilityMake it clear when elevation to admin is required and allow that to happen in-place without logging offHigh application compatibility with file/registry virtualization
Administrators use full privilege only for administrative tasks or applications
User provides explicit consent before using elevated privilege
User Account Control
Authentication Improvements
Plug and Play Smart CardsDrivers and Certificate Service Provider (CSP) included in Windows VistaLogin and credential prompts for User Account Control all support Smart Cards
New logon architectureGINA (the old Windows logon model) is gone. Third parties can add biometrics, one-time password tokens, and other authentication methods to Windows with much less coding
Improved Auditing
More GranularitySupport for many auditing subcategories: Logon, logoff, file system access, registry access, use of administrative privilegePrevious versions of Windows only support high-level categories such as System, Logon/Logoff, and Object Access, with little granularity
New Logging InfrastructureEasier to filter out “noise” in logs and find the event you’re looking forTasks tied to events: When an event occurs, such as administrative privilege use, tasks such as sending an Email to an auditor can run automatically
Q&A
Bruce CowperSenior Program Manager; Security InitiativeMicrosoft Canada
Rodney BuikeIT Pro AdvisorMicrosoft Canada
© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.