2. Agenda Security Fundamentals Threat and Vulnerability Mitigation Identity and Access Control Compliance Enhancements Technology Coverage Read Only Domain Controller, Bit Locker, Service Hardening, Server Core, Device Installation, Next Gen firewall, NAP and Terminal Services/RDP changes, Rights management, … and more
3. SECURITY: FUNDAMENTALS THREAT & VULNERABILITY MITIGATION Network Access Protection Read-Only Domain Controller Enhanced Auditing Server and Domain Isolation Security Development Lifecycle Windows Service Hardening Next Generation Crypto PKI Enhancements IDENTITY & ACCESS CONTROL COMPLIANCE ENHANCEMENTS BitLocker™ Drive Encryption EFS Smartcards Rights Management Server Removable Device Control Active Directory Federation Services Plug and Play Smartcards Granular Auditing Granular Password Control Security and Compliance
5. Security Development Lifecycle Mandated development process for Windows Server and Windows Vista Periodic mandatory security training Assignment of security advisors for all components Threat modeling as part of design phase Security reviews and testing built into the schedule Security metrics for product teams Common Criteria (CC) Certification
6. Windows Service HardeningDefense-in-Depth / Factoring D D D D D D D D Reduce size ofhigh risk layers Segment theservices Increase # of layers Service 1 Service … Service 2 Service… Service A Service 3 Service B Kernel Drivers User-mode Drivers
7. Server Core Minimal installation option Low surface area Command line interface Limited set of server roles SERVER, SERVER ROLES (for example only) TS IAS WebServer SharePoint Etc… SERVER With WinFx, Shell, Tools, etc. SERVER CORE SERVER ROLES DNS DHCP File AD WV IIS SERVER CORE Security, TCP/IP, File Systems, RPC,plus other Core Server Sub-Systems GUI, CLR, Shell, IE, Media, OE, etc.
9. Cryptography Next Generation (CNG) Cryptography Next Generation Includes algorithms for encryption, digital signatures, key exchange, and hashing Supports cryptography in kernel mode Supports the current set of CryptoAPI 1.0 algorithms Support for elliptic curve cryptography (ECC) algorithms Perform basic cryptographic operations, such as creating hashes and encrypting and decrypting data
10. PKI Enhancements Online Certificate Status Protocol (OSCP) Enterprise PKI (PKIView) Network Device Enrollment Service and Simple Certificate Enrollment Protocol Web Enrollment
18. Servers with Sensitive Data Server Isolation HR Workstation Managed Computer Domain Isolation Domain Isolation Managed Computer Active Directory Domain Controller Corporate Network Trusted Resource Server X Unmanaged/Rogue Computer X Untrusted Server and Domain Isolation
19. POLICY SERVERS e.g. MSFT Security Center, SMS, Antigenor 3rd party Fix Up Servers e.g. MSFT WSUS, SMS & 3rd party Restricted Network CORPORATE NETWORK Network Access ProtectionWindows Server 2008 3 Not policy compliant 1 2 4 MSFT Network Policy Server Windows Vista Client Policy compliant DHCP, VPN Switch/Router 5 Enhanced Security All communications are authenticated, authorized & healthy Defense-in-depth on your terms with DHCP, VPN, IPsec, 802.1X Policy-based access that IT Pros can set and control BENEFITS Increased Business Value Preserves user productivity Extends existing investments in Microsoft and 3rd party infrastructure Broad industry partnership
20. Read-Only Domain Controller Read-Only Copy of AD Database Can Hold all Directory Objects & Attributes Maintains Read-Only Copy of DNS Zones HUB Writeable DC Secure Location Unidirectional Replication No Local Changes – Pull from Upstream Only Controlled Replication - Limits Bandwidth Use Credential Handling Can Cache User Passwords (Explicitly Set) Admin Knowledge of Accounts if Compromised RODC May Only Issue Local Auth Tickets Branch Administrative Role Separation Management Delegated to Local User No Enterprise or Domain DC Membership Read-Only DC Read-Only DNS One-way Replication Credential Cache Local Admin Role
21. How RODC Works AS_Req sent to RODC (request for TGT) 1 2 RODC: Looks in DB: "I don't have the users secrets" 3 Hub Branch Forwards Request to Windows Server "Longhorn" DC 3 7 Windows Server "Longhorn" DC Read Only DC Windows Server "Longhorn" DC authenticates request 4 4 2 5 Returns authentication response and TGT back to the RODC 5 1 RODC gives TGT to User and RODC will cache credentials 6 6 At this point the user will have a hub signed TGT 7
24. Improved Auditing More Granularity Support for many auditing subcategories: Logon, logoff, file system access, registry access, use of administrative privilege, Active Directory Captures the Who, the What, & the When From and To Values for Objects or Attributes Logs All – Creates, Modifies, Moves, Deletes New Logging Infrastructure Easier to filter out “noise” in logs Tasks tied to events: When an event occurs tasks such as sending an Email to an auditor can run automatically
26. Active Directory Federation Services Full implementation of a ‘claims-based’ architecture based on WS-Federation Fully integrated with Active Directory Supports group, role and rules-based models Partner Value Add BMC, Centrify & Quest: Multi-platform support Business Benefits Enables new models for cross-company single sign-on systems Facilitates single-sign across Windows and non-Windows environments Reduces the risk of unauthorized access by eliminating the need for cross-company synchronization of user and rights information
27. Authentication Improvements Plug and Play Smart Cards Drivers and Certificate Service Provider (CSP) included Login and credential prompts for User Account Control all support Smart Cards New logon architecture GINA (the old Windows logon model) is gone Third parties can add biometrics, one-time password tokens, and other authentication methods with much less coding
28. Granular Policy Control Allows to set Password Policies on Users and/or Groups (different from the domain‘s Password Policies) Big Win for Customers:Requirements for different Password Policies do not result in deploying multiple domains anymore New Object-Type in Active Directory, the Password Settings Object Password Settings are configured using those Objects in the Password Settings Container
30. AD Rights Management Services AD RMS protects access to an organization’s digital files AD RMS in Windows Server "Longhorn" includes several new features Improved installation and administration experience Self-enrollment of the AD RMS cluster Integration with AD FS New AD RMS administrative roles SQL Server Active Directory RMS Server 1 3 2 Information Author The Recipient
31. BitLocker™ Drive Encryption Full Volume Encryption Key (FVEK) Encryption Policy Group Policy allows central encryption policy and provides Branch Office protection Provides data protection, even when the system is in unauthorized hands or is running a different or exploiting Operating System Uses a v1.2 TPM or USB flash drive for key storage
32. Information Protection Who are you protecting against? Other users or administrators on the machine? EFS Unauthorized users with physical access? BitLocker™ Some cases can result in overlap. (e.g. Multi-user roaming laptops with untrusted network admins)
33. Removable Device Installation Control Benefits: Reduced Support Costs Reduced Risk of Data Theft Scenarios: Prevent installation of all devices Allow installation of only allowed devices Prevent installation of only prohibited devices