Howard ChowMicrosoft MVP

Session Objectives

Introduce and demonstrate the security features in Windows 7

Understand how the security features in Windows 7 solve customer pain points

Provide you with the knowledge to talk confidently about the security features in Windows 7

Fundamentally Secure Platform

Protect Users & Infrastructure

Windows Vista Foundation

Streamlined User Account Control

Enhanced Auditing

Securing Anywhere

Access

Windows 7 Enterprise SecurityBuilding upon the security foundations of Windows Vista, Windows 7 provides IT Professionals

security features that are simple to use, manageable, and valuable.

Protect Data from Unauthorized

Viewing

Network Security

Network Access Protection

DirectAccessTM

AppLockerTM

Internet Explorer 8

Data Recovery

RMS

EFS

BitLocker & BitLocker To GoTM

Windows Vista Foundation

Enhanced Auditing

Make the system work well for standard users

Administrators use full privilege only for administrative tasks

File and registry virtualization helps applications that are not UAC compliant

Streamlined User Account Control

XML based

Granular audit categories

Detailed collection of audit results

Simplified compliance management

Fundamentally Secure Platform

Security Development Lifecycle process

Kernel Patch Protection

Windows Service Hardening

DEP & ASLR

IE 8 inclusive

Mandatory Integrity Controls

User Account Control

Windows Vista Windows 7

Streamlined UAC

User provides explicit consent before using elevated privilege

Disabling UAC removes protections, not just consent prompt Users can do even more as a standard

user

Administrators will see fewer UAC Elevation Prompts

Reduce the number of OS applications and tasks that require elevation

Refactor applications into elevated/non-elevated pieces

Flexible prompt behavior for administrators

System Works for Standard User

All users, including administrators, run as Standard User by default

Administrators use full privilege only for administrative tasks or applications

Desktop Auditing

Windows Vista Windows 7

Simplified configuration results in lower TCO

Demonstrate why a person has access to specific information

Understand why a person has been denied access to specific information

Track all changes made by specific people or groups

Enhanced Auditing

Granular auditing complex to configure

Auditing access and privilege use for a group of users

New XML based events

Fine grained support for audit of administrative privilege

Simplified filtering of “noise” to find the event you’re looking for

Tasks tied to events

UAC & Enhanced Audit

Microsoft Confidential

Network Security DirectAccess

Ensure that only “healthy” machines can access corporate data

Enable “unhealthy” machines to get clean before they gain access

Network Access Protection

Security protected, seamless, always on connection to corporate network

Improved management of remote users

Consistent security for all access scenarios

Securing Anywhere Access

Policy based network segmentation for more secure and isolated logical networks

Multi-Home Firewall Profiles

DNSSec Support

Network Access Protection

Health policy validation and remediation

Helps keep mobile, desktop and server devices in compliance

Reduces risk from unauthorized systems on the network

RemediationServers

Example: PatchRestrictedNetwork

WindowsClient

Policy compliantNPS

DHCP, VPNSwitch/Router

Policy Serverssuch as: Patch, AV

Corporate Network

Not policy compliant

Remote Access for Mobile WorkersAccess Information Anywhere

Situation Today Windows 7 Solution

Same experience accessing corporate resources inside and outside the office

Seamless connection increases productivity of mobile users

Easy to service mobile PCs and distribute updates and polices

DirectAccess

Difficult for users to access corporate resources from outside the office

Challenging for IT to manage, update, patch mobile PCs while disconnected from company network

AppLockerTM Data Recovery

Protect users against social engineering and privacy exploits

Protect users against browser based exploits

Protect users against web server exploits

Internet Explorer 8

File back up and restore

CompletePC™ image-based backup

System Restore

Volume Shadow Copies

Protect Users & Infrastructure

Enables application standardization within an organization without increasing TCO

Increase security to safeguard against data and privacy loss

Support compliance enforcement

Application Control

Situation Today Windows 7 Solution

Eliminate unwanted/unknown applications in your network

Enforce application standardization within your organization

Easily create and manage flexible rules using Group Policy

AppLocker

Users can install and run non-standard applications

Even standard users can install some types of software

Unauthorized applications may:Introduce malwareIncrease helpdesk callsReduce user productivityUndermine compliance efforts

AppLocker

Technical Details

Simple Rule Structure: Allow, Exception & Deny

Publisher Rules

Product Publisher, Name, Filename & Version

Multiple Policies

Executables, installers, scripts & DLLs

Rule creation tools & wizard

Audit only mode

SKU AvailabilityAppLockerTM – Enterprise

AppLocker

Microsoft Confidential

Social Engineering & Exploits

Reduce unwanted communications

Freedom from intrusionInternational Domain Names

Pop-up Blocker in IE7

Increased usability

Choice and control

Clear notice of information use

Provide only what is needed

Control of information User-friendly, discoverable notices

P3P-enabled cookie controls

Delete Browsing History

InPrivate™ Browsing & Blocking

Browser & Web Server Exploits

Protection from deceptive websites, malicious code, online fraud, identity theft

Protection from harm Secure Development Lifecycle

Extended Validation (EV) SSL certs

SmartScreen® Filter

Domain Highlighting

XSS Filter/ DEP/NX

ActiveX Controls

Internet Explorer 8 SecurityBuilding on IE7 and addressing the evolving threat landscape

RMS BitLocker

User-based file and folder encryption

Ability to store EFS keys on a smart card

EFS

Easier to configure and deploy

Roam protected data between work and home

Share protected data with co-workers, clients, partners, etc.

Improve compliance and data security

Protect Data from Unauthorized Viewing

Policy definitionand enforcement

Protects information wherever it travels

Integrated RMS Client

Policy-based protection of document libraries in SharePoint

Data Protection Scenarios

Scenario RMS EFS BitLockerTM

Remote document policy enforcement

Protect content in transit

Protect content during collaboration

Local multi-user file & folder protection on a shared machine

Remote file & folder protection

Untrusted network administrator

Laptop protection

Branch office server

Local single-user file & folder protection

BitLocker

Situation Today Windows 7 Solution

Extend BitLocker drive encryption to removable devices

Create group policies to mandate the use of encryption and block unencrypted drives

Simplify BitLocker setup and configuration of primary hard drive

BitLocker To Go

+

• Gartner “Forecast: USB Flash Drives, Worldwide, 2001-2011” 24 September 2007, Joseph Unsworth

• Gartner “Dataquest Insight: PC Forecast Analysis, Worldwide, 1H08” 18 April 2008, Mikako Kitagawa, George Shiffler III

0

200

400

600

800

1000

1200

2007 2008 2009 2010 2011

Removable Solid-State Storage Shipments

PCShipments

Worldwide Shipments (000s)

BitLocker

Technical Details

BitLocker EnhancementsAutomatic 200 Mb hidden boot partition

New Key Protectors

Domain Recovery Agent (DRA)

Smart card – data volumes only

BitLocker To GoSupport for FAT*

Protectors: DRA, passphrase, smart card and/or auto-unlock

Management: protector configuration, encryption enforcement

SKU Availability

Encrypting – Enterprise

Unlocking – All

BitLocker

Microsoft Confidential

Fundamentally Secure Platform

Protect Users & Infrastructure

Windows Vista Foundation

Streamlined User Account Control

Enhanced Auditing

Securing Anywhere

Access

Windows 7 Enterprise SecurityBuilding upon the security foundations of Windows Vista, Windows 7 provides IT Professionals

security features that are simple to use, manageable, and valuable.

Protect Data from Unauthorized

Viewing

Network Security

Network Access Protection

DirectAccess

AppLocker

Internet Explorer 8

Data Recovery

RMS

EFS

BitLocker

Housekeeping

Level 2Room S221: OFC208 – by Tara Seppa

Room S222: DAT08-HOL-E – by Microsoft Certified Trainer

Room S224 & 225: MGT339 – by Lawrence Tse

Room S226 & 227: VIR381 – by Bryon Surace

Room S228: WCL05-HOL – by Microsoft Certified Trainer

Level 4Room S421: UNC310 – by Andrew Ehrensing

Room S423: WMB201 – by Jim Tsui

Room S425: DEV396R – by Andrew Coates

Room S427: DEV377 – by Xiao Ying Guo

Room S426: SEC11-HOL – by Microsoft Certified Trainer

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,

it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.