Howard Chow Microsoft MVPdownload.microsoft.com/documents/hk/technet/techdays2009/WCL… ·...
Transcript of Howard Chow Microsoft MVPdownload.microsoft.com/documents/hk/technet/techdays2009/WCL… ·...
Howard ChowMicrosoft MVP
Session Objectives
Introduce and demonstrate the security features in Windows 7
Understand how the security features in Windows 7 solve customer pain points
Provide you with the knowledge to talk confidently about the security features in Windows 7
Fundamentally Secure Platform
Protect Users & Infrastructure
Windows Vista Foundation
Streamlined User Account Control
Enhanced Auditing
Securing Anywhere
Access
Windows 7 Enterprise SecurityBuilding upon the security foundations of Windows Vista, Windows 7 provides IT Professionals
security features that are simple to use, manageable, and valuable.
Protect Data from Unauthorized
Viewing
Network Security
Network Access Protection
DirectAccessTM
AppLockerTM
Internet Explorer 8
Data Recovery
RMS
EFS
BitLocker & BitLocker To GoTM
Windows Vista Foundation
Enhanced Auditing
Make the system work well for standard users
Administrators use full privilege only for administrative tasks
File and registry virtualization helps applications that are not UAC compliant
Streamlined User Account Control
XML based
Granular audit categories
Detailed collection of audit results
Simplified compliance management
Fundamentally Secure Platform
Security Development Lifecycle process
Kernel Patch Protection
Windows Service Hardening
DEP & ASLR
IE 8 inclusive
Mandatory Integrity Controls
User Account Control
Windows Vista Windows 7
Streamlined UAC
User provides explicit consent before using elevated privilege
Disabling UAC removes protections, not just consent prompt Users can do even more as a standard
user
Administrators will see fewer UAC Elevation Prompts
Reduce the number of OS applications and tasks that require elevation
Refactor applications into elevated/non-elevated pieces
Flexible prompt behavior for administrators
System Works for Standard User
All users, including administrators, run as Standard User by default
Administrators use full privilege only for administrative tasks or applications
Desktop Auditing
Windows Vista Windows 7
Simplified configuration results in lower TCO
Demonstrate why a person has access to specific information
Understand why a person has been denied access to specific information
Track all changes made by specific people or groups
Enhanced Auditing
Granular auditing complex to configure
Auditing access and privilege use for a group of users
New XML based events
Fine grained support for audit of administrative privilege
Simplified filtering of “noise” to find the event you’re looking for
Tasks tied to events
UAC & Enhanced Audit
Microsoft Confidential
Network Security DirectAccess
Ensure that only “healthy” machines can access corporate data
Enable “unhealthy” machines to get clean before they gain access
Network Access Protection
Security protected, seamless, always on connection to corporate network
Improved management of remote users
Consistent security for all access scenarios
Securing Anywhere Access
Policy based network segmentation for more secure and isolated logical networks
Multi-Home Firewall Profiles
DNSSec Support
Network Access Protection
Health policy validation and remediation
Helps keep mobile, desktop and server devices in compliance
Reduces risk from unauthorized systems on the network
RemediationServers
Example: PatchRestrictedNetwork
WindowsClient
Policy compliantNPS
DHCP, VPNSwitch/Router
Policy Serverssuch as: Patch, AV
Corporate Network
Not policy compliant
Remote Access for Mobile WorkersAccess Information Anywhere
Situation Today Windows 7 Solution
Same experience accessing corporate resources inside and outside the office
Seamless connection increases productivity of mobile users
Easy to service mobile PCs and distribute updates and polices
DirectAccess
Difficult for users to access corporate resources from outside the office
Challenging for IT to manage, update, patch mobile PCs while disconnected from company network
AppLockerTM Data Recovery
Protect users against social engineering and privacy exploits
Protect users against browser based exploits
Protect users against web server exploits
Internet Explorer 8
File back up and restore
CompletePC™ image-based backup
System Restore
Volume Shadow Copies
Protect Users & Infrastructure
Enables application standardization within an organization without increasing TCO
Increase security to safeguard against data and privacy loss
Support compliance enforcement
Application Control
Situation Today Windows 7 Solution
Eliminate unwanted/unknown applications in your network
Enforce application standardization within your organization
Easily create and manage flexible rules using Group Policy
AppLocker
Users can install and run non-standard applications
Even standard users can install some types of software
Unauthorized applications may:Introduce malwareIncrease helpdesk callsReduce user productivityUndermine compliance efforts
AppLocker
Technical Details
Simple Rule Structure: Allow, Exception & Deny
Publisher Rules
Product Publisher, Name, Filename & Version
Multiple Policies
Executables, installers, scripts & DLLs
Rule creation tools & wizard
Audit only mode
SKU AvailabilityAppLockerTM – Enterprise
AppLocker
Microsoft Confidential
Social Engineering & Exploits
Reduce unwanted communications
Freedom from intrusionInternational Domain Names
Pop-up Blocker in IE7
Increased usability
Choice and control
Clear notice of information use
Provide only what is needed
Control of information User-friendly, discoverable notices
P3P-enabled cookie controls
Delete Browsing History
InPrivate™ Browsing & Blocking
Browser & Web Server Exploits
Protection from deceptive websites, malicious code, online fraud, identity theft
Protection from harm Secure Development Lifecycle
Extended Validation (EV) SSL certs
SmartScreen® Filter
Domain Highlighting
XSS Filter/ DEP/NX
ActiveX Controls
Internet Explorer 8 SecurityBuilding on IE7 and addressing the evolving threat landscape
RMS BitLocker
User-based file and folder encryption
Ability to store EFS keys on a smart card
EFS
Easier to configure and deploy
Roam protected data between work and home
Share protected data with co-workers, clients, partners, etc.
Improve compliance and data security
Protect Data from Unauthorized Viewing
Policy definitionand enforcement
Protects information wherever it travels
Integrated RMS Client
Policy-based protection of document libraries in SharePoint
Data Protection Scenarios
Scenario RMS EFS BitLockerTM
Remote document policy enforcement
Protect content in transit
Protect content during collaboration
Local multi-user file & folder protection on a shared machine
Remote file & folder protection
Untrusted network administrator
Laptop protection
Branch office server
Local single-user file & folder protection
BitLocker
Situation Today Windows 7 Solution
Extend BitLocker drive encryption to removable devices
Create group policies to mandate the use of encryption and block unencrypted drives
Simplify BitLocker setup and configuration of primary hard drive
BitLocker To Go
+
• Gartner “Forecast: USB Flash Drives, Worldwide, 2001-2011” 24 September 2007, Joseph Unsworth
• Gartner “Dataquest Insight: PC Forecast Analysis, Worldwide, 1H08” 18 April 2008, Mikako Kitagawa, George Shiffler III
0
200
400
600
800
1000
1200
2007 2008 2009 2010 2011
Removable Solid-State Storage Shipments
PCShipments
Worldwide Shipments (000s)
BitLocker
Technical Details
BitLocker EnhancementsAutomatic 200 Mb hidden boot partition
New Key Protectors
Domain Recovery Agent (DRA)
Smart card – data volumes only
BitLocker To GoSupport for FAT*
Protectors: DRA, passphrase, smart card and/or auto-unlock
Management: protector configuration, encryption enforcement
SKU Availability
Encrypting – Enterprise
Unlocking – All
BitLocker
Microsoft Confidential
Fundamentally Secure Platform
Protect Users & Infrastructure
Windows Vista Foundation
Streamlined User Account Control
Enhanced Auditing
Securing Anywhere
Access
Windows 7 Enterprise SecurityBuilding upon the security foundations of Windows Vista, Windows 7 provides IT Professionals
security features that are simple to use, manageable, and valuable.
Protect Data from Unauthorized
Viewing
Network Security
Network Access Protection
DirectAccess
AppLocker
Internet Explorer 8
Data Recovery
RMS
EFS
BitLocker
Housekeeping
Level 2Room S221: OFC208 – by Tara Seppa
Room S222: DAT08-HOL-E – by Microsoft Certified Trainer
Room S224 & 225: MGT339 – by Lawrence Tse
Room S226 & 227: VIR381 – by Bryon Surace
Room S228: WCL05-HOL – by Microsoft Certified Trainer
Level 4Room S421: UNC310 – by Andrew Ehrensing
Room S423: WMB201 – by Jim Tsui
Room S425: DEV396R – by Andrew Coates
Room S427: DEV377 – by Xiao Ying Guo
Room S426: SEC11-HOL – by Microsoft Certified Trainer
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.