Security and Compliance

Bruce CowperSenior Program Manager; Security InitiativeMicrosoft Canada

Rodney BuikeIT Pro AdvisorMicrosoft Canada

Enabling Security and Compliance

Enabling Security and Compliance

Fundamentals

Improved Security Development Lifecycle (SDL) process for Windows Vista

Periodic mandatory security trainingAssignment of security advisors for all components Threat modeling as part of design phaseSecurity reviews and testing built into the scheduleSecurity metrics for product teams

Common Criteria (CC) Certification

Service Hardening

Windows Service HardeningDefense in depth

Services run with reduced privilege compared to Windows XP

Windows services are profiled for allowed actions to the network, file system, and registry

Designed to block attempts by malicious software to make a Windows service write to an area of the network, file system, or registry that isn’t part of that service’s profile

Activeprotection

File system

Registry

Network

Enabling Security and Compliance

Social Engineering Protections

Phishing Filter and Colored Address BarDangerous Settings NotificationSecure defaults for IDN

Protection from ExploitsUnified URL ParsingCode quality improvements (SDLC)ActiveX Opt-inProtected Mode to prevent malicious software

Internet Explorer 7

Advanced Malware Protection

Exploit can install malware

Exploit can install malware

IE6

Install a driver and run Windows Update

Change settings, download a picture

Cache Web content

HKLM

Program Files

Admin-Rights Access

User-Rights Access

HKCU

My Documents

Startup Folder

Temp Internet Files

Un-trusted files and settings

Internet

Explorer

Co

mp

act

Red

irec

tor

Redirected settings & files

Install an ActiveX control

Change settings, save a picture

IEA

dm

inIE

Use

r

Inte

gri

ty C

on

tro

l

Phishing FilterDynamic Protection Against Fraudulent Websites

3 “checks” to protect users from phishing scams:

1.Compares web site with local list of known legitimate sites

2.Scans the web site for characteristics common to phishing sites

3.Double checks site with online Microsoft service of reported phishing sites updated several times every hour

Level 1: Warn Suspicious Website

Signaled

Level 2: Block Confirmed Phishing Site

Signaled and Blocked

Two Levels of Warning and Protection Two Levels of Warning and Protection in IE7 Security Status Barin IE7 Security Status Bar

ActiveX Opt-in

IE7

Disabled Controls by default

IE7 blocks ActiveX Control

User grants permission (opts-in)

IE7 confirms install

ActiveX Control enabled

Windows Defender

Improved Detection and Removal

Redesigned and Simplified User Interface

Protection for all users

Windows Vista FirewallCombined firewall and IPsec management

New management tools – Windows Firewall with Advanced Security MMC snap-in Reduces conflicts and coordination overhead between technologies

Firewall rules become more intelligent

Specify security requirements such as authentication and encryptionSpecify Active Directory computer or user groups

Outbound filteringEnterprise management feature – not for consumers

Simplified protection policy reduces management overhead

Network Access ProtectionNetwork Access Protection

11

RestrictedRestrictedNetworkNetworkMSFTMSFT

NetworkNetworkPolicy Server Policy Server

33

Policy ServersPolicy Serverse.g. MSFT Security e.g. MSFT Security

Center, SMS, AntigenCenter, SMS, Antigenor 3or 3rd rd party party

Policy Policy compliantcompliantDHCP, VPNDHCP, VPN

Switch/Router Switch/Router

22

WindowsWindowsVista ClientVista Client

Fix UpFix UpServersServers

e.g. MSFT WSUS, e.g. MSFT WSUS, SMS & 3SMS & 3rdrd party party

Corporate NetworkCorporate Network55

Not policy Not policy compliantcompliant 44

Enhanced Security

All communications are authenticated, authorized & healthyAll communications are authenticated, authorized & healthy

Defense-in-depth on your terms with DHCP, VPN, IPsec, 802.1XDefense-in-depth on your terms with DHCP, VPN, IPsec, 802.1X

Policy-based access that IT Pros can set and controlPolicy-based access that IT Pros can set and control

Enabling Security and Compliance

Information Leakage Is Top-of-mind With Business Decision Makers

“After virus infections, businesses report unintended forwarding of e-mails and loss of mobile devices more frequently than they do any other security breach”

Jupiter Research Report, 2004

0% 10% 20% 30% 40% 50% 60% 70%

Loss of digital assets, restored

Email piracy

Password compromise

Loss of mobile devices

Unintended forwarding of emails

20%

22%

22%

35%

36%

63%Virus infection

BitLocker™ Drive Encryption

Designed specifically to prevent a thief who boots another Operating System or runs a hacking tool from breaking Windows file and system protections

Provides data protection on your Windows client systems, even when the system is in unauthorized hands or is running a different or exploiting Operating Ssystem

Uses a v1.2 TPM or USB flash drive for key storage

BitLockerBitLocker

BitLocker Drive Encryption

•Improved at-rest data protection with full drive encryption

•Usability with scalable security protections

•Enterprise-ready deployment capabilities

•Offline system-tampering resistance

•Worry-free hardware repurposing and decommissioning

•Integrated disaster recovery features

Trusted Platform Module

Encrypted Data

Encrypted Volume Key

Encrypted Full Volume Encryption

Key

TPM Volume Master Key

Full Volume Encryption Key

Cleartext Data

Security

Eas

e of

Us e

TPM Only“What it is.”

Protects against: SW-only attacks

Vulnerable to: HW attacks (including potentially “easy”

HW attacks)

TPM + PIN“What you know.”Protects against: Many HW attacks

Vulnerable to: TPM breaking attacks

Dongle Only“What you have.” Protects against: All HW attacksVulnerable to: Losing donglePre-OS attacks

TPM + Dongle“Two what I

have’s.”Protects against: Many HW attacksVulnerable to: HW

attacks

BDE offers a spectrum of protection allowing customers to balance ease-of-use

against the threats they are most concerned with.

Spectrum Of Protection

**************

Windows Vista Data Protection

Policy Definition and Enforcement

Rights Management Services

User-Based File System Encryption

Encrypted File System

Drive-Level Encryption

BitLocker Drive Encryption

Recovery Options

BitLocker™ setup will automatically escrow keys and passwords into AD

Centralized storage/management keys (EA SKU)

Setup may also try (based on policy) to backup keys and passwords onto a USB dongle or to a file location

Default for non-domain-joined users

Exploring options for web service-based key escrow

Recovery password known by the user/administrator

Recovery can occur “in the field”

Windows operation can continue as normal

Improve Wireless SecurityImprove Wireless SecurityLowers RiskLowers Risk

IEEE 802.11i replaces previous, less secure IEEE 802.11i replaces previous, less secure encryption schemes and interim security encryption schemes and interim security standardsstandards

Supports IEEE 802.11iSupports IEEE 802.11i

Superior encryption Superior encryption with Advanced with Advanced Encryption Standard Encryption Standard (AES)(AES)

Fast roaming with Fast roaming with cached credentialscached credentials

Faster re-connect to Faster re-connect to commonly used commonly used networksnetworks

XPS Document FormatXPS Document Format

Create using Microsoft Office applicationsCreate using Microsoft Office applications

Support digital signaturesSupport digital signatures

Support digital rights managementSupport digital rights management

Format based on XMLFormat based on XML

Features Overview

Format unpaginated content for readingFormat unpaginated content for reading

Distribute application-agnostic documentsDistribute application-agnostic documents

Leverage for service-oriented applicationsLeverage for service-oriented applications

Benefits Overview

New secure XML-based document specification

Enabling Security and Compliance

ChallengesUsers running as admin = unmanaged desktopsLine of Business (LoB) applications require elevated privileges to runCommon Operating System Configuration tasks require elevated privilege

Goal: Allow businesses to move to a better-managed desktop and consumers to use parental controls

Make the system work well for standard usersAllow standard users to change time zone and power management settings, add printers, and connect to secure wireless networksHigh application compatibilityMake it clear when elevation to admin is required and allow that to happen in-place without logging offHigh application compatibility with file/registry virtualization

Administrators use full privilege only for administrative tasks or applications

User provides explicit consent before using elevated privilege

User Account Control

Authentication Improvements

Plug and Play Smart CardsDrivers and Certificate Service Provider (CSP) included in Windows VistaLogin and credential prompts for User Account Control all support Smart Cards

New logon architectureGINA (the old Windows logon model) is gone. Third parties can add biometrics, one-time password tokens, and other authentication methods to Windows with much less coding

Improved Auditing

More GranularitySupport for many auditing subcategories: Logon, logoff, file system access, registry access, use of administrative privilegePrevious versions of Windows only support high-level categories such as System, Logon/Logoff, and Object Access, with little granularity

New Logging InfrastructureEasier to filter out “noise” in logs and find the event you’re looking forTasks tied to events: When an event occurs, such as administrative privilege use, tasks such as sending an Email to an auditor can run automatically

Q&A

Bruce CowperSenior Program Manager; Security InitiativeMicrosoft Canada

Rodney BuikeIT Pro AdvisorMicrosoft Canada

© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.