TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Wave 14 - Winodws 7 Security Story Core by MVP Azra Rizal
1. Enhance Security and Control Azra Rizal Security Advisor | DP&E | Microsoft Corporation
2. Windows 7 Enterprise Security Building upon the security foundations of Windows Vista, Windows 7 provides IT Professionals security features that are simple to use, manageable, and valuable. Fundamentally Secure Platform Protect Users & Infrastructure Securing Anywhere Access Protect Data from Unauthorized Viewing Windows Vista Foundation Streamlined User Account Control Enhanced Auditing Network Security Network Access Protection DirectAccessTM AppLockerTM Internet Explorer 8 Data Recovery RMS EFS BitLocker
3. Fundamentally Secure Platform Windows Vista Foundation Enhanced Auditing Streamlined User Account Control Make the system work well for standard users Administrators use full privilege only for administrative tasks File and registry virtualization helps applications that are not UAC compliant XML based Granular audit categories Detailed collection of audit results Simplified compliance management Security Development Lifecycle process Kernel Patch Protection Windows Service Hardening DEP & ASLR IE 8 inclusive Mandatory Integrity Controls
4. User Account Control Windows Vista System Works for Standard User All users, including administrators, run as Standard User by default Administrators use full privilege only for administrative tasks or applications Streamlined UAC Reduce the number of OS applications and tasks that require elevation Refactor applications into elevated/non-elevated pieces Flexible prompt behavior for administrators Challenges Customer Value User provides explicit consent before using elevated privilege Disabling UAC removes protections, not just consent prompt Users can do even more as a standard user Administrators will see fewer UAC Elevation Prompts Windows 7
5. Desktop Auditing Windows Vista Enhanced Auditing New XML based events Fine grained support for audit of administrative privilege Simplified filtering of “noise” to find the event you’re looking for Tasks tied to events Simplified configuration results in lower TCO Demonstrate why a person has access to specific information Understand why a person has been denied access to specific information Track all changes made by specific people or groups Challenges Granular auditing complex to configure Auditing access and privilege use for a group of users Windows 7
6. Securing Anywhere Access Network Security DirectAccessTM Network Access Protection Ensure that only “healthy” machines can access corporate data Enable “unhealthy” machines to get clean before they gain access Security protected, seamless, always on connection to corporate network Improved management of remote users Consistent security for all access scenarios Windows Firewall can coexist with 3rd party products Multi-Home Profiles DNSSec
7. Network Access Protection Remediation Servers Example: Patch Restricted Network Corporate Network Policy Servers such as: Patch, AV Health policy validation and remediation Helps keep mobile, desktop and server devices in compliance Reduces risk from unauthorized systems on the network Not policy compliant Policy compliant DHCP, VPN Switch/Router Windows Client NPS Windows 7
8. Remote Access for Mobile WorkersAccess Information Anywhere Situation Today DirectAccessTM Difficult for users to access corporate resources from outside the office Challenging for IT to manage, update, patch mobile PCs while disconnected from company network Same experience accessing corporate resources inside and outside the office Seamless connection increases productivity of mobile users Easy to service mobile PCs and distribute updates and polices Windows 7 Solution
9. Protect Users & Infrastructure AppLockerTM Data Recovery Internet Explorer 8 Protect users against social engineering and privacy exploits Protect users against browser based exploits Protect users against web server exploits File back up and restore CompletePC™ image-based backup System Restore Volume Shadow Copies Volume Revert Enables application standardization within an organization without increasing TCO Increase security to safeguard against data and privacy loss Support compliance enforcement
10. Application Control Situation Today AppLockerTM Eliminate unwanted/unknown applications in your network Enforce application standardization within your organization Easily create and manage flexible rules using Group Policy Users can install and run non-standard applications Even standard users can install some types of software Unauthorized applications may: Introduce malware Increase helpdesk calls Reduce user productivity Undermine compliance efforts Windows 7 Solution
12. Building on IE7 and addressing the evolving threat landscape Social Engineering & Exploits Reduce unwanted communications Freedom from intrusion International Domain Names Pop-up Blocker in IE7 Increased usability Browser & Web Server Exploits Protection from deceptive websites, malicious code, online fraud, identity theft Protection from harm Secure Development Lifecycle Extended Validation (EV) SSL certs SmartScreen® Filter Domain Highlighting XSS Filter/ DEP/NX ActiveX Controls Choice and control Clear notice of information use Provide only what is needed Control of information User-friendly, discoverable notices P3P-enabled cookie controls Delete Browsing History InPrivate™ Browsing & Blocking Internet Explorer 8 Security
13. Protect Data from Unauthorized Viewing RMS BitLocker EFS User-based file and folder encryption Ability to store EFS keys on a smart card Easier to configure and deploy Roam protected data between work and home Share protected data with co-workers, clients, partners, etc. Improve compliance and data security Policy definitionand enforcement Protects information wherever it travels Integrated RMS Client Policy-based protection of document libraries in SharePoint
16. Gartner “Dataquest Insight: PC Forecast Analysis, Worldwide, 1H08” 18 April 2008, Mikako Kitagawa, George Shiffler III Windows 7 Solution
17. BitLocker Technical Details BitLocker Enhancements Automatic 200 Mb hidden boot partition New Key Protectors Domain Recovery Agent (DRA) Smart card – data volumes only BitLocker To GoTM Support for FAT* Protectors: DRA, passphrase, smart card and/or auto-unlock Management: protector configuration, encryption enforcement
18. Windows 7 Enterprise Security Building upon the security foundations of Windows Vista, Windows 7 provides IT Professionals security features that are simple to use, manageable, and valuable. Fundamentally Secure Platform Protect Users & Infrastructure Securing Anywhere Access Protect Data from Unauthorized Viewing Windows Vista Foundation Streamlined User Account Control Enhanced Auditing Network Security Network Access Protection DirectAccessTM AppLockerTM Internet Explorer 8 Data Recovery RMS EFS BitLocker
20. Convergence of DLP and RMS Centralized Policy Policies Pushed into Infrastructure Enable advanced workflow Identify and Classify Data Leverage Controls to Protect Data Block Warn RMS Monitor
One of the goals of Windows 7 is to enable users to access the information that they need whether they are in or out of the office. In the past few years, Microsoft has made getting to email from outside the office easier. First we had Outlook Web Access, so we could access email through the web. Then we introduced RPC over HTTP, which just requires and internet connection to connect to the Exchange server.But users still have a challenge when accessing resources that are inside the corporate network. For example users cannot open the links to an internal Web site or share included in an email. The most common method to access these resources is VPN. VPN can be hard to use for users because it takes time and multiple steps to initiate the VPN connection and wait for the PC to be authenticated from the network. Hence, most remote users try to avoid VPN’ing as much as possible and stay disconnected from corporate network as much as they can. At this point we run into a chicken-egg problem: Since remote users are disconnected IT cannot service them while away from work – remote users stay more out of date and it gets harder and harder to access corporate resources… With the capabilities Windows 7 enables, users who have internet access will be automatically connected to their corporate network. A user who is sitting on a coffee shop can open his laptop, connect to the internet using the wireless access of the coffee shop and start working as if he is in the office. The user in this case will be able to not only use outlook, but also work with intranet sites, open corporate shares, use LOB applications, and basically have full access to corporate resources. Direct Access solution is also very appealing to IT Professionals:Servicing mobile users have been an issue since they could be disconnected from the corporate network for a long time. With Direct Access, as long as they have internet connectivity, users will be on corporate network. Servicing mobile users becomes (such as distributing updates and policies) is easier since they can be accessed more frequently. Deploying Windows 7 will not automatically enable this type of Work access connection. You will have the choice to enable it or not and it will require changes to your backend network infrastructure, including having some servers running Windows Server 2008 R2. But after it is implemented the solution will have a major impact on the way your mobile employees work.
The longer a computer has been deployed, the more the software on them drifts away from their desired configuration. These inconsistencies are greatly accelerated by installation and execution of non-standard software within the desktop environment. Users today bring software into the environment by bringing in software from home, Internet downloads (intended and not intended!), and through email. The result is higher incidence of malware infections, more help desk calls, and difficulty in ensuring that your PCs are running only approved, licensed software. Coupled with the required on compliance in the enterprise through OCI, SOX, HIPPA and other compliance regulations, enterprises are renewing efforts to lock down their desktops as a means to: Reduce total cost of ownership (TCO)Increase security to safeguard against data loss and the threat of IT theft and to secure privacySupport compliance solutions by validating which users can run specific applicationsWith Windows XP and Windows Vista, we gave IT administrators Software Restriction Policies to enable the definition of a relatively secure application lockdown policy. SRP has been utilized with tremendous success in many customer situations, but customers have requested more flexibility and control over the applications in their desktop environment.Windows 7 reenergizes application lockdown policies with a totally revamped set of capabilities in “Application Blocker”. “Application Blocker” provides a flexible mechanism that allows administrators to specify exactly what is allowed to run on their systems and gives users the ability to run applications, installation programs, and scripts that administrators have explicitly granted permission to execute. As a result, IT can enforce application standardization within their organization with minimal TCO implications.
“Application Blocker” provides a flexible mechanism that allows IT administrators to specify exactly which applications, install packages, and scripts are allowed to run on their systems. When enabled, the feature operates as an “allow list” by default. Users may only run applications, installation programs, and scripts that administrators have approved. Within these allow lists, IT administrators can call out exceptions to the allow list (e.g. allow everything in c:windowssystem32 to run, except the registry editor). In specific instances, where required, specific deny rules can also be enforced. “Application Blocker” enables IT to enforce application standardization within their organization with minimal cost implications. AppLocker enables IT administrators to manage applications beyond the traditional file name and hash mechanisms that are prevalent. This gives “Application Blocker” rules a resiliency throughout the software update lifecycle. For example, a rule could be written that says “allow all versions greater than 8.1 of the program Photoshop to run if it is signed by the software publisher Adobe.” Such a rule can be associated with existing security groups within an organization, providing controls that allow an organization to support compliance requirements by validating and enforcing which users can run specific applications.“Application Blocker” is a totally new feature that will only be available in the premium SKUs, while the legacy Software Restriction Policies will be available in the Business and Enterprise SKUs.
Let discuss these in greater detail with specific examples of what we have implemented in IE 7 as well as what is new in IE8, (in Red)