2. Matt Heller Aaron Margosis Microsoft Corporation CLI 314

3. Overview New Security Features (15 min) New Privacy Features (15 min) Managing & Configuring Security Features (35 min) Q&A (10 min)

5. Threat Vectors Increasing Severity & Ways of Risk Blended threats shifting from the browser to sites Impact to data governance & regulations Rapid pace of threat innovation Consumer & employee data at risk

6. Web 2.0 - Challenge or Opportunity? Efficiency, Economics & Expectations Syndicated content and ad business model enables sites and business Growth in ecommerce depends on consumer trust Trust may be undermined by less than transparent collection of data and inadequate protection of privacy Unknown accountability -1st party & 3rd parties Potential backlash & heightened consumer concerns

7. Internet Explorer 8 Trustworthy Browsing Confidently bank, communicate & shop Extended Validation (EV) SSL Certificates SmartScreen® Filter – Blocks Phishing & Malware Domain Highlighting Enhanced Delete Browsing History InPrivate™ Browsing & Filtering Build on a secure foundation Security Development Lifecycle (SDL) Protected Mode ActiveX Controls DEP - Data Execution Prevention Extends browser protection to the web server Http only cookies Group Policies XDomainRequest - Cross Domain Requests XDM - Cross Domain Messaging XSS Filter - Cross Site Scripting Anti-ClickJacking Web Server & Applications Browser Vulnerabilities Social Engineering & Privacy

8. Domain Highlighting More accurately ascertain the domain of the visiting The domain is black, vs. other characters which are gray.

9. Social Engineering Emerging threat vector & diversification Address concerns of Users and Site owners SmartScreen® Filter Integrated Phishing & Malware download protection Examines URL string, preempting evolving threats Blocks 1 million+ weekly attempts to visit phish sites Significant malware site detection volumes ~10 x traffic as compared to phishing, (IE8 beta users). Group Policy support – Key IT requirement 24 x 7support processes and feedback mechanisms

10. SmartScreen Filter

11. Identifies & neuters the attack Blocks the malicious script from executing. IE 8 XSS Filter Web Server & Applications

12. Cross Site Scripting Filter

13. Granular level control provides ultimate control & flexibility Domain Administrators have full control over approved ActiveX lists

14. Per-User ActiveX Controls Per-Site ActiveX Controls

15. Per-User ActiveX Conversion Toolkit http://www.codeplex.com/pact

16. Protected Mode Limits Access to File system and Registry Reduces Escalation of Privilege Attacks Application Compatibility Impacts Shims Read/Write Failures Broker Process

17. Internet Explorer 7 Process Model

18. Internet Explorer 8 Process Model (LCIE)

20. Security vs. Privacy Security Core engineering issues Protection from harm Protection from fraud Privacy Control over preferences Control over how information is shared

21. Privacy is all about being in control Control == Notice + Consent

22. Does Privacy Exist? Having records online, using surveillance cameras – not necessarily illegal It’s because “contextual integrity” is violated Information is transferred in context A context has a set of norms When information is transferred from one context to another without notice and consent, contextual integrity is violated.

23. Web Privacy Issues Today – some examples

24. Internet Explorer 8 Privacy Goals Put the user in control of the web browser Shared PC Delete Browsing History InPrivate™ Browsing On the Web InPrivate™ Filtering Build, useful, convenient features to make it easy to stay in control Leap ahead of the competition InPrivate Filtering Preserve Favorites data

25. Delete Browsing History Preserve data from Favorites sites Keep the useful stuff, delete the no-so-useful stuff Convenient Checkboxes! Delete Browsing History on Exit! Group Policy!

26. Delete Browsing History

27. InPrivate Browsing Creates a new browsing window that does not record browsing history Some things that are turned off History Cookies (accepted, but downgraded to session-only) Suggested Sites Form data saving Things that are deleted when you exit Temporary Internet Files Compatibility View list ActiveX Opt-In list

28. InPrivate™ Browsing

29. InPrivate Browsing FAQ Parental Controls Disables InPrivate Browsing IT Scenarios InPrivate Browsing can be disabled via GP Does not interfere with proxy servers Proxy servers will record sites browsed Does not provide anonymization Add-ons UI Toolbars, BHOs - not loaded by default APIs are available for ActiveX Controls Suggested sites feature is turned off

30. Third Party Content Serving Over time, users’ history and profiles can unknowingly be aggregated Any third-party content can be used like a tracking cookie There is little end-user notification or control today Syndicated photos, weather, stocks, news articles; local analytics, etc…. Unclear accountability with third party security & privacy policies User Visits Unique Sites msn.comebay.comamazon.comcnn.comcnet.comabout.commsnbc.com Prosware-sol.com 3 rd party Syndicator Web server nytimes.com

31. InPrivate Filtering Helps give you control over which 3 rd -party content providers have a line of sight into your web browsing Keeps a table of 3 rd -party content and the 1 st -party sites the content was loaded from Allows you to block content that passes a configurable threshold (10 1 st -party sites by default)

32. InPrivate Filtering

33. InPrivate Filtering FAQ (short list) If I have a website, what do I do? Will my website break? IE8 includes a javascript-accessible API (bool InPrivateFilteringEnabled()) that lets website owners detect when InPrivate Filtering is enabled Not an ad blocker Some advertisements may be blocked InPrivate Filtering is a privacy tool It can only block content that has a “line of sight” into your browsing history

34. 3rdParty.html

36. Understanding Security Zones Security Zones Settings: Policies and Preferences Templates Some Things To Know

37. Security Zones 0. Computer zone, a.k.a., Local Machine Zone 1. Local Intranet 2. Trusted Sites 3. Internet 4. Restricted Sites

38. Security Zone Settings User Preferences and Machine Preferences User Policies and Machine Policies

39. Precedence Order for Each Setting Machine Policies User Policies User Preferences Machine Preferences

40. “Use Only Machine Settings” Machine Policies User Policies User Preferences Machine Preferences

41. Templates Pre-defined sets of settings: High Medium-High Medium Medium-Low Low Can be copied into Preferences for a zone Click “Default level” button in IE Properties Not used by Group Policy

42. Some Things To Know Local Intranet vs. Trusted Sites In IE 6 and earlier: Local Intranet  Medium-Low template Trusted Sites  Low template In IE 7 and 8: Local Intranet  Medium-Low template Trusted Sites  Medium template

43. Some Things To Know Local Intranet vs. Trusted Sites

44. Mapping Sites to Zones Default mappings Site to Zone Assignment List Computer Configuration | Windows Components | Internet Explorer | Internet Control Panel | Security Page Proxy Bypass List

45. Some Things To Know The “Lockdown Zones” Local Machine Lockdown Zone The only interesting one Introduced in Windows XP SP2 Makes LMZ very restrictive until user approves

46. Some Things To Know Viewing Settings on a policy-controlled system

47. IEZoneAnalyzer http://blogs.technet.com/fdcc

49. www.microsoft.com/teched Sessions On-Demand & Community http://microsoft.com/technet Resources for IT Professionals http://microsoft.com/msdn Resources for Developers www.microsoft.com/learning Microsoft Certification & Training Resources Resources Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online. Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online.

50. Related Content WCL20 – HOL Deploying Internet Explorer 8 In the Enterprise WCL21 – HOL Preparing for Windows Internet Explorer 8: Application Compatibility WCL22 – HOL Using Accelerators and WebSlices in the Enterprise WCL25 – Internet Explorer 8: Build Your Own Search Suggestions Provider WCL26 – Internet Explorer 8: Building Web Slices WCL27 – Internet Explorer 8: Managing Security Settings in the Enterprise WCL28 – Managing Internet Explorer 8 In the Enterprise Required Slide Speakers, please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session. Required Slide Speakers, please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session.

51. References and Resources Security Zones IE blog posts on the FDCC blog Series of posts explaining security zones and some effects of strict policies IEZoneAnalyzer utility The Local Intranet Zone and Proxies Security Zone registry entries (KB 182569)KB 182569 IE blogs http://blogs.msdn.com/ie http://blogs.msdn.com/ieinternalshttp://blogs.msdn.com/ieinternals (Eric Lawrence)

52. Internet Explorer Resources Internet Explorer Site www.microsoft.com/ie8 Engineering Blog blogs.msdn.com/ie Internet Explorer TechNet Site technet.microsoft.com/ie technet.microsoft.com/ie Group Policy Settings for IE8 www.microsoft.com/downloads/details.aspx?familyid=AB4655F2-0A3C-42EB- 974D-24B2790BF592&displaylang=en Desktop Security Guide http://www.microsoft.com/downloads/details.aspx?FamilyID=5534bee1-3cad- 4bf0-b92b-a8e545573a3e&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=5534bee1-3cad- 4bf0-b92b-a8e545573a3e&displaylang=en

53. Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!

54. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Required Slide