1. Security Enhancement NarendaWicaksono IT Pro Advisor, Microsoft Indonesia

2. Agenda Security Fundamentals Threat and Vulnerability Mitigation Identity and Access Control Compliance Enhancements Technology Coverage Read Only Domain Controller, Bit Locker, Service Hardening, Server Core, Device Installation, Next Gen firewall, NAP and Terminal Services/RDP changes, Rights management, … and more

3. SECURITY: FUNDAMENTALS THREAT & VULNERABILITY MITIGATION Network Access Protection Read-Only Domain Controller Enhanced Auditing Server and Domain Isolation Security Development Lifecycle Windows Service Hardening Next Generation Crypto PKI Enhancements IDENTITY & ACCESS CONTROL COMPLIANCE ENHANCEMENTS BitLocker™ Drive Encryption EFS Smartcards Rights Management Server Removable Device Control Active Directory Federation Services Plug and Play Smartcards Granular Auditing Granular Password Control Security and Compliance

4. Security Fundamentals

5. Security Development Lifecycle Mandated development process for Windows Server and Windows Vista Periodic mandatory security training Assignment of security advisors for all components Threat modeling as part of design phase Security reviews and testing built into the schedule Security metrics for product teams Common Criteria (CC) Certification

6. Windows Service HardeningDefense-in-Depth / Factoring D D D D D D D D Reduce size ofhigh risk layers Segment theservices Increase # of layers Service 1 Service … Service 2 Service… Service A Service 3 Service B Kernel Drivers User-mode Drivers

7. Server Core Minimal installation option Low surface area Command line interface Limited set of server roles SERVER, SERVER ROLES (for example only) TS IAS WebServer SharePoint Etc… SERVER With WinFx, Shell, Tools, etc. SERVER CORE SERVER ROLES DNS DHCP File AD WV IIS SERVER CORE Security, TCP/IP, File Systems, RPC,plus other Core Server Sub-Systems GUI, CLR, Shell, IE, Media, OE, etc.

8. Windows Server 2008 Services

9. Cryptography Next Generation (CNG) Cryptography Next Generation Includes algorithms for encryption, digital signatures, key exchange, and hashing Supports cryptography in kernel mode Supports the current set of CryptoAPI 1.0 algorithms Support for elliptic curve cryptography (ECC) algorithms Perform basic cryptographic operations, such as creating hashes and encrypting and decrypting data

10. PKI Enhancements Online Certificate Status Protocol (OSCP) Enterprise PKI (PKIView) Network Device Enrollment Service and Simple Certificate Enrollment Protocol Web Enrollment

11. Windows Server Firewall More Control Combined firewall and IPsec management

12. Windows Server Firewall More Control Firewall rules become more intelligent

13. Windows Server Firewall More Control Firewall rules become more intelligent

14. Windows Server Firewall More Control Firewall rules become more intelligent

15. Windows Server Firewall More Control Policy-based networking

16. Enhancing and Simplifying IPsec

17. Threat and Vulnerability Mitigation

18. Servers with Sensitive Data Server Isolation HR Workstation Managed Computer Domain Isolation Domain Isolation Managed Computer Active Directory Domain Controller Corporate Network Trusted Resource Server X Unmanaged/Rogue Computer X Untrusted Server and Domain Isolation

19. POLICY SERVERS e.g. MSFT Security Center, SMS, Antigenor 3rd party Fix Up Servers e.g. MSFT WSUS, SMS & 3rd party Restricted Network CORPORATE NETWORK Network Access ProtectionWindows Server 2008 3 Not policy compliant 1 2 4 MSFT Network Policy Server Windows Vista Client Policy compliant DHCP, VPN Switch/Router 5 Enhanced Security All communications are authenticated, authorized & healthy Defense-in-depth on your terms with DHCP, VPN, IPsec, 802.1X Policy-based access that IT Pros can set and control BENEFITS Increased Business Value Preserves user productivity Extends existing investments in Microsoft and 3rd party infrastructure Broad industry partnership

20. Read-Only Domain Controller Read-Only Copy of AD Database Can Hold all Directory Objects & Attributes Maintains Read-Only Copy of DNS Zones HUB  Writeable DC  Secure Location Unidirectional Replication No Local Changes – Pull from Upstream Only Controlled Replication - Limits Bandwidth Use Credential Handling Can Cache User Passwords (Explicitly Set) Admin Knowledge of Accounts if Compromised RODC May Only Issue Local Auth Tickets Branch Administrative Role Separation Management Delegated to Local User No Enterprise or Domain DC Membership  Read-Only DC  Read-Only DNS  One-way Replication  Credential Cache  Local Admin Role 

21. How RODC Works AS_Req sent to RODC (request for TGT) 1 2 RODC: Looks in DB: "I don't have the users secrets" 3 Hub Branch Forwards Request to Windows Server "Longhorn" DC 3 7 Windows Server "Longhorn" DC Read Only DC Windows Server "Longhorn" DC authenticates request 4 4 2 5 Returns authentication response and TGT back to the RODC 5 1 RODC gives TGT to User and RODC will cache credentials 6 6 At this point the user will have a hub signed TGT 7

22. Read-only DC Mitigates Stolen DC Attacker Perspective

23. Read-only DC Mitigates Stolen DC Hub Admin Perspective

24. Improved Auditing More Granularity Support for many auditing subcategories: Logon, logoff, file system access, registry access, use of administrative privilege, Active Directory Captures the Who, the What, & the When From and To Values for Objects or Attributes Logs All – Creates, Modifies, Moves, Deletes New Logging Infrastructure Easier to filter out “noise” in logs Tasks tied to events: When an event occurs tasks such as sending an Email to an auditor can run automatically

25. Identity and Access Control

26. Active Directory Federation Services Full implementation of a ‘claims-based’ architecture based on WS-Federation Fully integrated with Active Directory Supports group, role and rules-based models Partner Value Add BMC, Centrify & Quest: Multi-platform support Business Benefits Enables new models for cross-company single sign-on systems Facilitates single-sign across Windows and non-Windows environments Reduces the risk of unauthorized access by eliminating the need for cross-company synchronization of user and rights information

27. Authentication Improvements Plug and Play Smart Cards Drivers and Certificate Service Provider (CSP) included Login and credential prompts for User Account Control all support Smart Cards New logon architecture GINA (the old Windows logon model) is gone Third parties can add biometrics, one-time password tokens, and other authentication methods with much less coding

28. Granular Policy Control Allows to set Password Policies on Users and/or Groups (different from the domain‘s Password Policies) Big Win for Customers:Requirements for different Password Policies do not result in deploying multiple domains anymore New Object-Type in Active Directory, the Password Settings Object Password Settings are configured using those Objects in the Password Settings Container

29. ComplianceEnhancements

30. AD Rights Management Services AD RMS protects access to an organization’s digital files AD RMS in Windows Server "Longhorn" includes several new features Improved installation and administration experience Self-enrollment of the AD RMS cluster Integration with AD FS New AD RMS administrative roles SQL Server Active Directory RMS Server 1 3 2 Information Author The Recipient

31. BitLocker™ Drive Encryption Full Volume Encryption Key (FVEK) Encryption Policy Group Policy allows central encryption policy and provides Branch Office protection Provides data protection, even when the system is in unauthorized hands or is running a different or exploiting Operating System Uses a v1.2 TPM or USB flash drive for key storage

32. Information Protection Who are you protecting against? Other users or administrators on the machine? EFS Unauthorized users with physical access? BitLocker™ Some cases can result in overlap. (e.g. Multi-user roaming laptops with untrusted network admins)

33. Removable Device Installation Control Benefits: Reduced Support Costs Reduced Risk of Data Theft Scenarios: Prevent installation of all devices Allow installation of only allowed devices Prevent installation of only prohibited devices

34. Learning curriculum Hands on lab Sample codes Videos Slides E-Certification Online Assessment

35. eBooks in Bahasa

36. Indonesia Developer Portal http://geeks.netindonesia.net

37. IT Professional Portal http://wss-id.org

38. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.