Amit Gatenyo is an Infrastructure & Security Manager at Dario IT Solutions ltd. The document discusses security features of Windows such as: - Defense in depth approach with multiple layers of security. - Restricted permissions for built-in accounts on Windows Vista/Server 2008 compared to Windows XP/Server 2003. - Combined firewall and IPsec management with more intelligent policy-based networking. - Hardening of Windows services and use of Group Policy Objects to manage security.

1. Amit Gatenyo
Infrastructure & Security Manager
Dario IT Solutions ltd
054-2492499
amit.g@dario.co.il
Security

2. Security
SecurityWeb Virtualization
Reduces costs, increases
hardware utilization,
optimizes your
infrastructure, and
improves server
availability
Delivers rich web-based
experiences efficiently
and effectively
Provides unprecedented
levels of protection for
your network, your data,
and your business

3. Development Process
Secure Startup and shield
up at install
Code integrity
Windows service
hardening
Inbound and outbound
firewall
Restart Manager
Improved auditing
Network Access
Protection
Event Forwarding
Policy Based Networking
Server and Domain
Isolation
Removable Device
Installation Control
Active Directory Rights
Management Services
Security Compliance
Security

4. D DD
Defense In Depth
Reduce size of
high risk layers
Segment the
services
Increase #
of layers
Kernel DriversD
D User-mode Drivers
D
D D
Service
1
Service
2
Service
3
Service
…
Service
…
Service
A
Service
B

5. Windows® XP SP2/Server 2003 R2
LocalSystem
Windows Vista/Server 2008
Network Service
Local Service
LocalSystem
Firewall Restricted
Network Service
Network Restricted
Local Service
No Network Access
LocalSystem
Network Service
Fully Restricted
Local Service
Fully Restricted

6. ‫נושא‬Windows XP / Windows Server
2003
Windows Vista / Windows
Server 2008
‫ההפעלה‬ ‫מערכת‬ ‫תהליכי‬ ‫הפעלת‬
‫מסביבת‬ ‫מופרדת‬ ‫בסביבה‬
‫המשתמש‬
‫אפשרית‬ ‫לא‬,‫אל‬ ‫לגשת‬ ‫ניתן‬
session 0‫המשתמש‬ ‫מסביבת‬
‫אפשרית‬,session 0‫מופרד‬
‫המשתמש‬ ‫מסביבת‬
‫אובייקטים‬ ‫על‬ ‫הרשאות‬ ‫מתן‬‫ה‬ ‫ברמת‬ ‫אפשרי‬–service account‫ה‬ ‫ברמת‬ ‫אפשרי‬–SID‫עבור‬
services
‫ההפעלה‬ ‫מערכת‬ ‫תהליכי‬ ‫הפעלת‬‫על‬ ‫בעיקר‬ ‫מתבססת‬LocalSystem‫מאפשר‬ ‫אשר‬ ‫מנגנון‬ ‫על‬ ‫מתבססת‬
‫מתוך‬ ‫חלקיות‬ ‫הרשאות‬ ‫ביזור‬
‫ה‬ ‫הרשאות‬–LocalSystem/
LocalService/NetworkService
‫ב‬ ‫שימוש‬–write restricted token‫קיים‬ ‫לא‬‫אפשרי‬
‫ה‬ ‫גישת‬ ‫הגבלת‬-services‫למשאבי‬
‫הרשת‬
‫חלקי‬ ‫באופן‬ ‫רק‬ ‫אפשרית‬(inbound)
,‫ה‬ ‫בהפעלת‬ ‫מותנית‬–windows
firewall
‫ה‬ ‫מרבית‬–windows services
‫למשאבי‬ ‫לגישה‬ ‫ביחס‬ ‫מוקשחים‬
‫תלות‬ ‫ללא‬ ‫אוטומטי‬ ‫באופן‬ ‫הרשת‬
‫ה‬ ‫בהפעלת‬–windows firewall,
‫עבור‬app services‫להגדיר‬ ‫ניתן‬
‫באמצעות‬ ‫הקשחה‬ ‫חוקי‬ ‫עבורם‬API

7. Combined firewall and IPsec managementFirewall rules become more intelligentPolicy-based networking

8. ‫נושא‬Windows XP / Windows Server 2003Windows Vista / Windows Server 2008
‫נכנסת‬ ‫נתונים‬ ‫תעבורת‬ ‫לגבי‬ ‫מדיניות‬ ‫אכיפת‬
(inbound)
‫אפשרית‬‫אפשרית‬
‫יוצאת‬ ‫נתונים‬ ‫תעבורת‬ ‫לגבי‬ ‫מדיניות‬ ‫אכיפת‬
(outbound)
‫אפשרית‬ ‫לא‬‫אפשרית‬
‫העברת‬ ‫אבטחת‬ ‫תצורת‬ ‫לגבי‬ ‫מדיניות‬ ‫אכיפת‬
‫נתונים‬
‫ה‬ ‫ברמת‬ ‫נתמך‬ ‫לא‬–firewall,‫למימוש‬ ‫אפשרי‬
‫ע‬"‫ה‬ ‫י‬–IP security policies(GPO)
‫באמצעות‬ ‫אפשרית‬IPSEC
‫בדומיין‬ ‫לחברות‬ ‫בהתאם‬ ‫מדיניות‬ ‫אכיפת‬‫אפשרית‬ ‫לא‬‫אפשרית‬
‫משתמש‬ ‫לשם‬ ‫בהתאם‬ ‫מדיניות‬ ‫אכיפת‬/‫שם‬
‫מחשב‬
‫אפשרית‬ ‫לא‬‫אפשרית‬
‫המחשב‬ ‫אליה‬ ‫לרשת‬ ‫בהתאם‬ ‫מדיניות‬ ‫אכיפת‬
‫מחובר‬
‫אפשרית‬ ‫לא‬‫אפשרית‬–‫קיימים‬3‫פרופילים‬
(public/private/domain)
‫ב‬ ‫תמיכה‬–windows service hardening‫קיימת‬ ‫לא‬‫קיימת‬
‫באמצעות‬ ‫חוקים‬ ‫בהחלת‬ ‫תמיכה‬GPO‫מה‬ ‫שונה‬ ‫הממשק‬ ‫אבל‬ ‫אפשרית‬–windows
firewall MMC
‫ל‬ ‫לחלוטין‬ ‫זהה‬ ‫באופן‬ ‫אפשרית‬–windows
firewall advanced security MMC
‫עקיפה‬ ‫חוקי‬ ‫קביעת‬(bypass)‫תקשורת‬ ‫עבור‬
‫נכנסת‬/‫ספציפיים‬ ‫ממחשבים‬ ‫יוצאת‬
‫חלקי‬ ‫באופן‬ ‫אפשרית‬‫אפשרית‬
‫אובייקטים‬ ‫סמך‬ ‫על‬ ‫בהתאם‬ ‫חוקים‬ ‫קביעת‬
‫מה‬–Active Directory
‫אפשרית‬ ‫לא‬‫אפשרית‬
‫ב‬ ‫תמיכה‬–IPv6‫דורשת‬ ‫אבל‬ ‫אפשרית‬SP(‫עבור‬Windows XP
– SP2,‫עבור‬Windows Server 2003 – SP1)
‫ב‬ ‫צורך‬ ‫ללא‬ ‫אפשרית‬–SP

9. Only a subset of the executable files and DLLs installed
No GUI interface installed
9 available Server Roles
Can be managed with remote tools

10. Customization
Troubleshooting
Administration
True application deployment
Application and health
management

11. • Arsenal of Admin Tools
• Delegated Management
• Secure Remote Management
• Shared Config for Web Farms
Better Tools
Intuitive, Task Oriented GUI
.NET Management API
Unified WMI Provider for IIS/ASP.NET
Powerful Command Line Support
Rich Runtime State Information
Automatic Failure Tracing & Logging
Site Owner Web.config
XML
Administrator
Internet
Manage Remotely
Secure HTTPS
AppHost.config
XML
Shared
Config
Shared App Hosting
Web FarmApp

12. Group Policy allows central encryption policy and provides Branch
Office protection
Provides data protection, even when the system is in unauthorized hands
or is running a different or exploiting Operating System
Uses a v1.2 TPM or USB flash drive for key storage
Full Volume
Encryption Key
(FVEK)Encryption
Policy

13. ‫פתרון‬
‫מתקפה‬
‫בזמן‬
hibern
ate
‫מתקפה‬
‫בזמן‬
sleep/
standby
‫מתקפה‬
‫כנגד‬
‫תהליך‬
‫האתחול‬
‫מתקפה‬
‫כנגד‬
online
‫מערכת‬
‫ההפעלה‬
‫חשיפת‬
‫מפתחות‬
‫בזמן‬
offline
‫מתקפה‬
‫המבוססת‬
‫על‬
‫חשיפת‬
‫סיסמאות‬
‫טעויות‬
‫משתמש‬
‫זליגת‬
‫מידע‬
plaint
ext
‫גניבת‬
‫המחשב‬
‫בלבד‬ TPM
‫בלבד‬ USB
PIN
‫בשילוב‬
TPM

USB
‫בשילוב‬
TPM


14. AD RMS protects access to an
organization’s digital files
AD RMS in Windows Server 2008
includes several new features
Improved installation and
administration experience
Self-enrollment of the AD RMS
cluster
Integration with AD Federation
Services
New AD RMS administrative roles
Information Author The Recipient

15. Protected emails

20. Add users
with Read
and Change
permissions Verify
aliases
& DLs via
AD
Add
advanced
permission
s

21. Set expiration
date
Enable
print, copy
permissions
Add/remove
additional users
Contact for
permission
requests
Enable
viewing via
RMA

22. Protected doc library

33. AD FS provides an identity
access solution
Deploy federation servers in
multiple organizations to
facilitate business-to-
business (B2B) transactions
AD FS provides a Web-
based, SSO solution
AD FS interoperates with
other security products that
support the Web Services
Architecture
AD FS improved in Windows
Server 2008
Web
Server
Account
Federation
Server
Resource
Federation
Server
LeadcomDario
Federation
Trust

34. Main Office Branch Office
Features
Benefits
RODC

35. Enterprise PKI (PKIView) Online Certificate Status
Protocol (OSCP)
Network Device Enrollment
Service
Web Enrollment

36. Cryptography Next Generation
(CNG)
Includes algorithms for encryption, digital signatures, key exchange, and
hashing
Supports cryptography in kernel mode
Supports the current set of CryptoAPI 1.0 algorithms
Support for elliptic curve cryptography (ECC) algorithms
Perform basic cryptographic operations, such as creating hashes and
encrypting and decrypting data

37. ‫נושא‬CryptoAPICNG
‫סימטרית‬ ‫בהצפנה‬ ‫תמיכה‬
‫א‬ ‫בהצפנה‬ ‫תמיכה‬-‫סימטרית‬
‫ב‬ ‫תמיכה‬–hash
‫דיגיטליות‬ ‫בתעודות‬ ‫תמיכה‬‫באמצעות‬CAPI 2.0
‫ארכיטקטורה‬CSPProtocol provider, CNG routers, CNG primitives
‫הצפנה‬ ‫במנגוני‬ ‫תמיכה‬legacy
‫אין‬
‫אקראיים‬ ‫מספרים‬ ‫מחולל‬ ‫החלפת‬
‫מחדש‬ ‫הקוד‬ ‫כתיבת‬ ‫דורשת‬‫בקוד‬ ‫מהותי‬ ‫שינוי‬ ‫ללא‬ ‫אפשרית‬
‫חדשים‬ ‫אלגוריתמים‬ ‫שילוב‬
‫אפשרי‬ ‫לא‬–‫קשיחה‬ ‫רשימה‬‫אפשרית‬–‫לעידכון‬ ‫וניתנת‬ ‫דינמית‬ ‫רשימה‬
‫מרכזי‬ ‫ניהול‬ ‫מנגנון‬
‫אין‬‫ה‬ ‫באמצעות‬ ‫אפשרי‬–key storage API
‫ב‬ ‫תמיכה‬–Suite B‫אין‬
‫אלגוריתמים‬
CAPI 1.0
AES , SHA1 , SHA2, DSA,
RSA,ECC,DH,ECDSA,ECDH,MD2,MD4,MD5, CAPI
1.0
‫הפרטי‬ ‫המפתח‬ ‫הפרדת‬
‫מהאפליקציה‬
‫אפשרי‬ ‫לא‬‫באמצעות‬ ‫לביצוע‬ ‫אפשרי‬key isolation process
‫המפתחות‬ ‫שמירת‬ ‫מיקום‬
‫הפרטיים‬
‫ל‬ ‫מקושר‬–SID,‫תהליך‬ ‫על‬ ‫מקשה‬
‫דומיינים‬ ‫בין‬ ‫מעבר‬
‫ל‬ ‫מקושר‬ ‫לא‬–SID,‫בין‬ ‫מעבר‬ ‫תהליך‬ ‫לבצע‬ ‫קל‬
‫דומיינים‬
‫המפתחות‬ ‫שמירת‬ ‫פורמט‬‫סיומת‬REG,‫של‬ ‫מגבלה‬256‫תווים‬
‫בשם‬
‫סיומת‬ ‫ללא‬ ‫חדש‬ ‫פורמט‬REG,‫של‬ ‫מגבלה‬512‫תווים‬
‫בשם‬

38. Internet
Perimeter
Network
Corporate
Network
Remote/
Mobile User
Terminal
Services
Gateway
Network
Policy Server
Active
Directory DC
Tunnels RDP
over HTTPs
Strips off RDP
/ HTTPs
Terminal
Servers
and other
RDP Hosts
RDP traffic
passed to TS
Internet

39. Remediation
Servers
Example: Patch
Restricted
Network
Windows
Client
Policy
compliant
NPS
DHCP, VPN
Switch/Router
Policy Servers
such as: Patch, AV
Corporate Network
Not policy
compliant
What is Network Access
Protection?
Health Policy Validation Health Policy Compliance
Ability to Provide Limited
Access
Enhanced Security
Increased Business Value

40. 1
Remediation
Servers
Example: Patch
Restricted
Network
1
Windows
Client
2
2
DHCP, VPN or Switch/Router relays health status
to Microsoft Network Policy Server (RADIUS)
3
3
Network Policy Server (NPS) validates against IT-
defined health policy
4
If not policy compliant, client is put in a
restricted VLAN and given access to fix up
resources to download patches, configurations,
signatures (Repeat 1 - 4)
Not policy
compliant
5
If policy compliant, client is granted full access
to corporate network
Policy
compliant
NPS
DHCP, VPN
Switch/Router
4
Policy Servers
such as: Patch, AV
Corporate Network
5
Client requests access to network and presents
current health state

41. 41
Internet Protocol security (IPsec)-protected
communications
IEEE 802.1X-authenticated network
connections
Remote access virtual private network (VPN)
connections
Dynamic Host Configuration Protocol (DHCP)
configuration

42. Policy based – was network access
allowed
• Health based - % compliant per SHA

43. http://www.dario.co.il/blog

44. Amit Gatenyo
Infrastructure & Security Manager
Dario IT Solutions ltd
amit.g@dario.co.il
054-2492499