Ing. Eduardo Castro, PhD Comunidad Windows ecastro@mswindowscr.org http://comunidadwindows.org

“Windows Server 2008 helps

Macquarie operate… our remote

offices more securely and

efficiently than we could in the

past.” Phillip Dundas

Technical Team Lead,

Windows Server Group, Information Technology

Group

Macquarie Group Limited

“We’ll be able to used RODC to

place domain controllers at sites

where physical security has

always been a concern and we’ll

have much better control over our

remote infrastructure.”

Loic Calvez

Senior Enterprise Infrastructure Architect

Lafarge

“The public key infrastructure that

we created through our

deployment of Windows Server

2008 has fundamentally increased

the level of information security

that we have at the bank.”

Security Director

PKO Bank Polski

“We are confident that the bank is

now more secure, that devices

accessing our network are secure,

and that those devices meet our

current network policy for access.”

Howard Witherby

Senior Vice President of Operations

National Bank & Trust

Security Development Lifecycle

Installation Options

Read Only Domain Controller (RODC)

Network Access Protection (NAP)

Others

Foundation

Service Hardening*

Kernel Patch Protection*

Data Execution Prevention*

BitLocker*

Mostly S

erv

er

R2

DirectAccess

AppLocker

Enhanced Storage Access

DNSSEC

Enhanced Auditing*

Suite-B for EFS, Kerberos, TLS v1.2 and more

Mostly W

indow

s 7

BitLocker to Go

Multiple Firewall Profiles

Streamlined UAC

Biometric Framework

HTTP PKI Enroll

PIV Smartcards

Methods of Security and Policy Enforcement

Network Location Awareness

Network Access Protection

Windows Firewall with Advanced Security

Internet Protocol Security

Windows Server Hardening

Server and Domain Isolation

Active Directory Domain Services Auditing

Read-Only Domain Controller

BitLocker Drive Encryption

Removable Device Installation Control

Enterprise PKI

Create inbound and outbound rules

Create a firewall rule limiting a service

Integrated with WFAS

IPSec improvements Simplified IPSec policy configuration

Client-to-DC IPSec protection

Improved load balancing and clustering server support

Improved IPSec authentication

Integration with NAP

Multiple authentication methods

New cryptographic support

Integrated IPv4 and IPv6 support

Extended events and performance monitor counters

Network diagnostics framework support

What changes have been made to AD DS auditing?

New Functionality

AD database

Unidirectional replication

Credential caching

Password replication policy

Administrator role separation

Read-Only DNS

Requirements/special considerations

RODC

A read-only Active Directory Domain Services database

Unidirectional replication mitigating misinformation even if a change is made on a RODC

Caching of only specific attributes based

Credential caching for only specific users

Separation of administrator capabilities

Read-only DNS

Pre-create RODC account allowing local installation without the need for admin credentials

Data protection

Drive encryption

Integrity checking

BDE hardware and software requirements

Easier management through PKIView

Certificate Web enrollment

Network device enrollment service

Managing certificate with group policy

Certificate deployment changes

Online certificate status protocol support

Cryptographic next generation

Enforce Security Policy

Improve Domain Security

Improve System Security

Improve Network Communications Security

Network Access Protection Network Access Quarantine Control

Internal, VPN, and Remote Access

Client

Only VPN and Remote Access

Clients

IPSec, 802.1X, DHCP, and VPN DHCP and VPN

NAP NPS and Client included in

Windows Server 2008; NAP client

included in Windows Vista

Installed from Windows Server

2003 Resource Kit

Automatic remediation

Health policy validation

Health policy compliance

Limited access

If policy-compliant, client is granted full access to corporate network

How it works

Not policy-

compliant

1

Restricted Network

Client requests access to network and presents current

health state 1

4 If not policy-compliant, client is put in a restricted VLAN

and given access to fix up resources to download patches,

configurations, signatures (Repeat 1 - 4)

2 DHCP, VPN, or Switch/Router relays health status to

Microsoft Network Policy Server (NPS) via Remote

Authentication Dial-In User Service (RADIUS)

Microsoft

NPS

3

Policy Servers e.g. Patch, Antivirus

Policy-

compliant

DHCP, VPN,

Switch/Router

3 Network Policy Server (NPS) validates against IT-defined

health policy

2

Windows

Client

Corporate Network 5

4

5

Fix Up Servers e.g. Patch

802.1X

VPN

IPSec

DHCP

NPS RADIUS

Create a NAP policy

Use the MMC to create NAP configuration settings

Create a new RADIUS client

Create a new system health validator for Windows Vista and Windows XP SP2

Logical Networks

IPSec Enforcement

IEEE 802.1X

Remote Access VPNs

DHCP

Checking the health and status of roaming laptops

Ensuring the health of corporate desktops

Determining the health of visiting laptops

Verify the compliance of home computers

Carefully test and plan all security policies

Implement Network Access Protection

Use Windows Firewall and Advanced Security to implement IPSec

Deploy Read-Only Domain Controllers, where appropriate

Implement BitLocker Drive Encryption

Take advantage of PKI improvements

Group Policy Changes How Group Policy works now...

Templates ADM templates

difficult to manage

Troubleshootin

g

Userenv log

GP Result

Templates and

Replication

Journal Wrap

anyone? Bloated

SYSVOL?

Local GPOs Limited flexibility with a single local

GPO

Settings

~1,800 policy settings in

XP

Incomplete coverage

means missing key

scenarios

LGPO’s

LGPO Local Computer

Policy

Group Policy Process

Part of Winlogon

Network

Limited awareness of

changing network

conditions

DC SysVol

ADM ADM

ADM ADM

ADM

Group Policy Service GP now runs in a

shared service

Hardened Service, more

reliable

Group Policy Settings Over 800 new policy changes

with Windows Vista

Extended GP for new Windows

Vista features

Network Location

Awareness (NLA) NLA service provides the latest

network information

Applications can query or register with

NLA for network change indications

Group Policy Logging Administrative log

Applications and Services log

XML based event logs

New Tools - GPOLogView

Group Policy

Templates ADM Templates now in

ADMX files (ADMX,

ADML)

Windows

Vista/Windows

Server 2008

ADM ADMX

Multiple Local

GPOs LGPO’s

LGPO

Admin

User User Specified Group Policy

Admin/Non-Admin Group Policy

Local Computer Policy

Group Policy Central

Store Centralized repository

for ADMX

Created in the Sysvol

on DC

in each domain

New Replicator with

DFS-R

DC

FRS/DFS-R

SysVol

ADMX

ADML

+ Policie

s +

+

GUID

ADM Policy

Definitions ADMX, ADML

Files

+

What is new? GP PowerShell features

Adding to GP scripts extensions

PowerShell cmdlets to perform GP operations

Starter GPOs in-box in Windows 7

Best practices that map to the security guide

ADMX enhancements

GP Preferences enhancements

GP Preferences, new in Windows Server 2008

New items added to support new OS functionality

Import-module GroupPolicy

get-help *-gp*

•New-GPLink

•New-GPO

•New-GPStarterGPO

New

•Get-GPInheritance

•Get-GPO

•Get-GPOReport

•Get-GPPermissions

•Get-GPPrefRegistryValue

•Get-GPRegistryValue

•Get-GPResultantSetofPolicy

•Get-GPStarterGPO

Get

•Set-GPInheritance

•Set-GPLink

•Set-GPPermissions

•Set-GPPrefRegistryValue

•Set-GPRegistryValue

Set

• Remove-GPLink

• Remove-GPO

• Remove-GPPrefRegistryValue

• Remove-GPRegistryValue

Remove

• Backup-GPO

• Copy-GPO

• Import-GPO

• Rename-GPO

• Restore-GPO

Misc

Have heard up to 11,000 GPOs

Not best practice

GPMC has perf issues loading

Management difficulties

Troubleshooting difficulties

Migration difficulties

Recommendation:

Consolidate

AGPM is tested up to 2000 GPOs

New UI: More intuitive, integrated help content, no more tabs

Support for:

REG_MultiSZ

REG_QWORD

Starter GPOs & ADMX UI

Preference Settings Not true “Policy”

More control of desktop – more settings! Not limited to policy-aware applications

Ease of administration through rich UI

Better targeting

New in Windows 7 Support for new Power Plan settings

Support for new Schedule task triggers, actions, etc.

Group Policies

(Native / Managed)

• Setting are enforced, user cannot change settings

• Settings revert back to original setting

• Highest precedence

• Work only on specific registry location

Group Policy Preferences

• Users can change settings

• Multiple items per GPO

• Can write registry settings to more than HKCU, HKLM hives

• Granular Targeting of individual items

Drive Mappings

Regional Settings

Printer Mappings

Shortcuts

Start Menu

Internet Explorer Settings

Local Users and Groups

Services

Network Shares

Environment Variables

Familiar Experience

Clearer to understand and find

Easy to manage

Better control of individual settings – Red/Green

Powerful browsers

Avoids typing errors

Configure settings quicker

29 different targeting options

Boolean AND, OR, IS, IS NOT

Wildcard support

“WSBNE*”

Target on the item, not just the GPO

Item level targeting,

not GPO level

Robust targeting

29 types

Boolean logic (And, Or, Not)

Collections

Intuitive UI

No need to learn

query languages

Apply once and do not reapply

Remove when no longer applicable

Create – Replace - Update - Delete

More than just Enable vs Disable

Active Directory: Windows 2000

Console - Group Policy Manager Console - Snap-in

Part of the Remote Server Admin Tool (link and end)

One Windows 7 client or Windows Server 2008 R2 Terminal Server

Client - Client Side Extensions (CSE’s)

3000 Total ADMX settings

300 new ADMX settings

IE more than 90 new

Bitlocker

Taskbar

Power

Terminal Services rebranded “Remote Desktop Services”

Settings Spreadsheet

12 settings added under Security Options

Restrict NTLM (multiple)

Kerberos encryption types

Local System null session fallback

Only supported on Windows 7 & Windows Server 2008 R2

Settings Spreadsheet

Wireless Network (IEEE 802.11) Policies

Public Key Policies

Certificate Services Client - Certificate Enrollment Policy

BitLocker Drive Encryption

Network Access Protection

Enforcement Clients: Removed RAQ EC and TS Gateway

Enforcement Clients: Added RD Gateway QEC

Application Control Policies – AppLocker

More info

Advanced Audit Policy Configuration

More info

Name Resolution Policy

Storage

growth

Storage

cost

Compliance Security and

Information leakage

Replication

Backup

HSM Security

Archive

Encryption

Expiration

Increasing data management needs / many data management products

Need per project share

Make sure business secret files

do not leak out

Backup files with personal

information to encrypted store

Expire low business impact files

created three years ago and not

touched for a year

IT Business

Step 1:

Classify data

Step 2:

Apply policy according to classification

Need per project share

Make sure business secret files do

not leak out

Backup files with personal

information to encrypted store

Expire low business impact files created

three years ago and not touched for a year

IT Business

Pe

rso

na

l

Info

rmatio

n

Se

cre

cy

Step 1:

Classify data

Step 2:

Apply policy based on

classification

Manual

Line Of Business

application

Automatic classification

Location

Content

Owner

Other

IT Scripts

Backup

Archive

Reports

Expiration

Security Leakage prevention

Search

Custom commands

Discover Data

Extract classification

properties Classify data

Store classification

properties

Apply Policy based on

classification

Extensible infrastructure-Partner ecosystem

Inbox end to end scenarios

Integration with SharePoint

Set classification properties

API for external applications

Windows Server 2008 R2

File Classification Extensibility

points

Get classification properties

API for external applications

When using IPSec – employ ESP with encryption

Carefully test and verify all IPSec Policies

Consider using Domain isolation

Use quality of service to improve bandwidth

Plan to prioritize traffic on the network

Apply network access protection to secure client computers

IPSec Server Domain Isolation

Full Volume Bitlocker on Servers

New elliptic curve encryption strength

Network Level Authentication for RDP

Service Profiling

New Levels of System Auditing

… and many more

© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market

conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.